EMForum.org Presentation — September 22, 2010

Private Sector Preparedness (PS-Prep)
Accreditation and Certification Program

Donald Byrne, CBCP, CDCP, CBRO-M
Lead Auditor
Adjunct Professor, Boston University

Amy Sebring
EIIP Moderator

The following has been prepared from a transcription of the recording. The presentation slides (Adobe PDF) may be downloaded from http://www.emforum.org/vforum/PS-Prep/Overview.pdf for ease of printing.


[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone. Welcome once again to EMforum.org. I am Amy Sebring and will serve as your Moderator today. We are very glad you could join us. For our newcomers, we will be providing some instructions as we go along so you can relax and participate with us.

We are continuing to observe National Preparedness Month with a focus on preparedness programs. Today is Private Sector preparedness, PS-Prep. You may be aware that DHS adopted three preparedness standards during this past June. Today we will learn more about how this program will be implemented in the months ahead.

We are making a recording, which should be available later this afternoon. The text transcript will be posted later on. If you are not on our mailing list, you can Subscribe from our home page, and then you will get a notice when they are ready.

[Slide 1]

Now it is my pleasure and privilege to introduce today’s guest: Donald Byrne has spent much of the past thirty years working in the fields of computer development, emergency management, business continuity, and operational resiliency. Don is an Adjunct Professor at Boston University where he teaches graduate programs in business continuity, risk and security.

An entrepreneur and former venture capitalist, Donald Byrne is the founder and Managing Director of North River Solutions (NRS), a consulting, and research firm; and is CEO of Metrix411, a software company specializing in assessments and business benchmarking.

Currently, he is the Association of Contingency Planners representative to the ANSI National Accreditation Board's Committee of Experts (ANAB-COE), charged with advising the government on the PS-Prep program.

Please see today’s Background Page for further biographical information and note there are several links to related material where you can access for reference later on.

Welcome Don, and thank you very much for being with us today. I now turn the floor over to you to start us off please.

[Presentation]

Donald Byrne: Thanks very much. Hello, everyone. I usually like to begin the presentation with this cartoon of my friends, the dinosaurs, who are saying "Don’t worry—we have a disaster plan", because it brings up one of the key issues that everyone in the business of preparedness deals with, which is thinking that a plan is really a solution.

[Slide 2]

However, as the next slide shows, we have a quote from someone who was responsible for planning the D-day invasion, General Dwight D. Eisenhower, and when given compliments about the quality of that particular plan, his comment is one that we should all bear in mind as we go through a discussion of PS-Prep, and that is, "The plan is nothing, but planning is everything."

Quite frankly, that is really what PS-Prep is about—it is about developing not only a plan, but the planning methodology to all organizations to deal with the wide variety of different threats and risks that surround us.

On the next slide, we’ve got a little graphic that I’d like to say that although we’ve been successful today, if you feel like you’re drinking water from a fire hose. There’s a vast amount of information to cover in even addressing part of this program. We’re going to go through this rather rapidly and preserve some time at the end for us to be in a position to answer some questions.

[Slide 3]

I’d like to talk about the agenda we are going to do. I have this particular presentation divided into three logical segments. The first segment is the historic perspective. I’m going to do this very lightly. I think the audience is quite familiar with PS-Prep, but we will touch lightly on the origins.

[Slide 4]

Next, we’ll move, and I’ll try to put things into a strategic perspective. This is an issue of key concern and growing concern to many, many executives. This is truly a strategic initiative that ties into not only the issues of emergency planning, disaster recovery and business continuity, but should also be a factor in long range planning, and really, to be successful, has to become a part of one’s corporate culture.

[Slide 5]

The third element that we’re going to deal with is I’m going to try to clear up some of the confusion about this program, because it has been around for quite awhile.

[Slide 6]

Let’s jump to just a little bit about the origins of this program. As I said, I’m going to touch this very lightly. Certainly, we will take questions at the end if anyone has a need to know a little bit more about this, and the fine resources that have been indicated in the presentation are places you can go to get a lot of background material.

This slide is one that brings a heartfelt feeling to everyone, showing the site of the twin towers in New York City. I also don’t forget the terrible tragedy suffered by the people in the Pentagon on that horrible day in September. This led to a questions that resonated throughout our entire country and the world, which is—how prepared in the U.S. to deal with a variety of disasters? How prepared are businesses to deal with a variety of disasters, not only criminal and terrorist activities, but a variety of them?

[Slide 7]

That brings us to the next slide where we have a graphic that talks about the role of preparedness. What is role of preparedness in many, many of the disciplines that are out there? You see that business continuity is really responsible for protecting the intellectual property, the processes, and vital records of a particular business. The quotes on the left hand side here from the Brookings Institute indicate that only 15% of the value of an enterprise really resides in the tangible assets of a company—the cash, the property, the manufacturing equipment, or the hundreds of services they own.

Really, up to 85% of the value of every organization is the intangible assets. That’s why we have really transitioned from a manufacturing based society to a knowledge based society. That is really where the role of business continuity planning comes into play. BCP is focused on really helping to protect key elements of 85% that represent the real value of companies.

The reaction of the community is highlighted in the form of the 9/11 Commission which was put into play and began its work shortly after the disaster occurred in New York and Washington, D.C. , and came up with a wide variety of recommendations. It actually gave birth to a public law—Public Law 110-53 (110 being the 110th Congress, or groups that put it together).

One of the titles, one of the elements of Public Law 110-53 is also known as PS-Prep. PS stands for Private Sector, and Prep stands for preparedness. That’s the origin of the PS-Prep term. It comes as one of the elements of Public Law 110-53.

[Slide 8]

We have an image that shows us the signing ceremony. President Bush signed Public Law 110-53 into law on August 3, 2007—actually, more than three years ago this particular initiative became the law of the land. We’ll explore a little bit of what that means.

[Slide 9]

Since then, there have been two announcements in the Federal Register. As you’re aware, the Federal Register is used as the announcement mechanism for many public programs and for agencies and elements of the federal government to make pronouncements and put out information to the public.

Noteworthy dates here—the first publication on December 24 in 2008 which laid out the elements and plans that DHS had in play and some of the directional guidance they were providing to all of us in terms of where the program was going. This was followed almost a year later in October of 2009, when a much more detailed discussion came out around the areas of which standards were being proposed for public debate and discussion as part of the PS-Prep program.

There, it languished for awhile, until this past June (2010), Senator Lieberman, who had led the Homeland Security Committee in the Senate, and Congressman Thompson from Mississippi, who heads up the same committee, but in the House, jointly sent a letter to Secretary Napolitano saying, "It’s been almost three years—what’s the status? We really want to see this program going. Please send Congress an update."

Less than two weeks later, on June 15, 2010, the program was finally announced, and the elements of it, meaning the selection of standards, finally came true.

[Slide 10]

The next graphic I put together is called the PS-Prep timeline, and what it is designed to do is give you a little bit of a sense of how things occurred, starting with the 9/11 attack in Q3 as 2001—the 9/11 Commission Report being issued in 2004, and then the progress that has been made through that period of time. I also have on here some of the elements of the program that we are anticipating coming.

This is a little bit of forward-looking—certainly no guarantees to this—but it may give you a little bit of sense of how things rolled out. I think the message this graphic should convey is that momentum is certainly building for this program. We really do believe we are on the verge of a real change and full announcement of the program.

[Slide 11]

This is a graphic that gives you a sense of the 24 different elements that made up Public Law 110-53. The key one that we are going to be concerned with here is Title IX—Private Sector Preparedness. If you advance the slide, you’ll see that graphic will animate and the part on Private Sector Preparedness will come out as highlighted.

That is really the focus. Many of the others have to deal with issues such as training and grants for implementation of the incident command system. It dealt with a wide variety of issues dealing with marine safety, public transportation safety, and it also dealt with some other issues dealing with interoperability and communication. It really was very broad in its coverage.

[Slide 12]

The area that has gotten our attention, as the next element of animation will show you, is Title IX Public Sector Preparedness. Sometimes, that is what you’ll hear people who have been involved with this for a long time referring to the PS-Prep program as being—Title IX, and that is the origin of that use of terminology.

On this slide we go into what this Title IX (and here I’m actually using that phrase instead of PS-Prep) calls for. As you’ll see as we move through and animate, it calls for the selection of one or more business resiliency standards. National Fire Protection Association (NFPA) Standard 1600 was specifically called out in the legislation.

At that time, the version of NFPA that was available was the 2007 version. There has been a subsequent, updated version, called the NFPA 1600 version 2010, just released this past year. That now also plays a role in the PS-Prep program, which we’ll talk about in a moment or two. But the key here is that is calls for one or more resiliency standards. That is actually the direction that FEMA and DHS went, and they decided that no one standard really met their requirements.

We had the specification of actually more standards, and quite frankly, it is conceivable that in the future additional standards will be brought into this program as a way of really enhancing and customizing the program to the wide variety of needs of all the different businesses in the U.S.

Moving forward on this slide, we can see that a credentialing agency would be named. The goal was to name it within 210 days. They missed that guideline a little bit. That credentialing agency was named, and we’ll talk about that a little. It is called ANAB—it’s the ANSI National Accreditation Board.

Moving on with the animation, that agency will then in turn credential service providers. I use the terminology CB/R, which stands for Certification Body/Registrars. This is term of audit that used for organizations that meet the various criteria to do independent auditing. These are the organizations you may know from one of the areas they are also very involved in, which are ISO 9000 Certification, which is a quality management system, possibly from some of the cyber security initiatives they have going on right now as well.

The last of the bullets here talking about businesses passing the audit will be posted on a special ANAB website—that’s really right now, from what we understand the way in which people who will go through the full certification will be recognized. You’ll be able to look them up online on a website element maintained by the ANSI National Accreditation Board, or ANAB.

[Slide 13]

On this slide we talk about what Title IX does not call for. I have in blue here what people might confusingly think is an element, or what you might be hearing. This is where we’re trying to get the clearing of some of the confusion about this particular law.

Mandatory audits—the PS-Prep program is 100% voluntary and from every indication, it will always remain 100% voluntary. However, there is market pressure for people to engage in the audits. This gets into one of the discussion points around how does one justify to management the investment in going with this program. It turns out that there is market pressure. The best example we can point to is, look at the evolution of ISO 9000.

Given the opportunity to do business with an organization which has an ISO 9001 certification, versus one that did not, there is certainly a market advantage to someone who has gone through the ISO 9000 process. That is a little of what we’ve been seeing. In fact, in the past six months there have been several federal bids come out where specifications of different ISO standards, in particular ISO 20000 which has to do with service management and ISO 27001, which has to do with cyber security—certification to those standards are required of people who want to bid on the projects.

Even though those certifications and the audits associated with those certifications are 100% voluntary, they became the prerequisite for organizations to begin bidding on various projects. That applied not only to prime contractors, but to all of the subs they worked with on these projects as well.

The second area of confusion has to do with audits by a certified provider. This is not an element of the law. What the law says is that you need to have an audit performed and it should be performed by someone who is competent—the person who supplies the competency is the agency, the credentialing agency we are working with, which is ANAB. But quite frankly, you can have an audit done by anyone but ANAB will not recognize it.

You will not get listed on that website that we mentioned before, but that’s not to say there’s still not a value to this. In fact, when we get into an issue of how small businesses who can’t afford to go through a full, formal audit deal with this issue, that is when we’ll see some of the alternatives come out through service providers who are not necessarily certified to deliver these services.

Underneath that, these are some of the other issues that came up in the course of discussions around the PS-Prep program—insurers will give you a lower rate, or rating agencies will begin selling your credit information—the fact is that these are not necessarily true statements. There are certainly elements of truth to all of them. But, for example, when dealing with the first one, there is no set price for insurance—this is referring to business interruption insurance. Every business is unique. Every building you are looking to insure is unique. Every operation is unique. There really is not set price.

Can you make a point when you speak to your underwriters and your insurance agents that you should deserve consideration if you have a continuity plan, if you have a certified continuity plan? Absolutely—and I urge you to bring that up to them. But the idea that there would be a discount—there really is no set price, and therefore, there can’t be a discount.

Jumping to the very bottom bullet, that there is federally funding for this—unfortunately, no. This is an unfunded mandate. This is left to organizations who wish to participate to do so on their own.

[Slide 14]

The next slide is entitled "Gaining Momentum". This is really true, and I believe that what we’re seeing right now is the final element being put together. ANAB, the ANSI National Accreditation Board, has already begun holding meeting with interested certification bodies, the organizations that will actually perform ‘certified’ audits, the ones that ANAB will recognize and list on their website, as opposed to someone who comes in and does certification or does a review of your business on their own.

The ones that will be recognized by ANAB—ANAB has already had a meeting and somewhere in the area of 15 organizations have indicated their interest—these are the organizations that again, have come out of doing ISO 9000 kinds of audits, and have conducted many, many thousands of audits over the course of the year. Fifteen is a very good number, and will certainly provide ample competitive pressure in the market to give you a lot of choice if you decide to move forward.

ANAB has been soliciting information on various training programs to do work in this area. Right now there are no designated by ANAB approved training programs for auditors in this area. That is, quite frankly, one of the last items holding up the launch of this program. If you listen to the people at ANAB, they expect to have this issue resolved by month’s end.

That’s why the next bullet says that ANAB should be accepting applications in October. It is still questionable, but that certainly is their intent—to get this program up and launched in combination with the upcoming new federal year. Given the announcement and accepting of applications from certification bodies to begin applying for the accreditation in this area in October, training of the auditors and actual audits could begin as early as Q4 of this year and then by Q1 of 2011, we expect to see things beginning to gain momentum.

There is a process in which ANAB will go out on initial audits to ensure the quality and verify the training of people producing those, and that’s why there is some lag time, but certainly by the end of Q1 2011, we should have a body of well-trained auditors able to do this work and ready to deliver on this commitment.

[Slide 15]

Let’s move on now to the issue of implementation. We’ll move rapidly from the slide entitled "implementation" to this graphic which says, "Now it gets complicated." Again, in the interest of time, I’ll touch on this lightly, but you are certainly invited to contact me to get more details if you’d like.

To answer the question, "Who sets standards?"—the answer is, lots of people set standards. There are industry groups that set many standards. In fact, the federal government recognizes 18 critical infrastructure key resource segments, such as the banking and finance segment, hospitals, a whole variety of electrical grids and nuclear power plants. There are 18 critical infrastructure key resource sectors and each of them has a set of rules, and particularly those dealing with business continuity, that are set by regulators in that area.

For example, the Security Exchange Commission oversees the operation of security broker-dealers. On their website, you can find a template of a suggested set of topics that a broker- dealer should address when putting together their business continuity plan. They actually provide a template and an outline of what they are expecting to see. By the way, they have the ability to go off and enforce fines and other disciplinary actions against organizations that don’t adhere to this.

The same is done by the Joint Commission in the area of hospitals and medical institutions. Many industry groups set standards. Then, there is the second bullet here, which is called the standard development organizations, or SDOs. There are many standards development organizations. One we have alluded to already is the National Fire Protection Association (NFPA). Another one is the ASIS organization which has been very active in the area of information security standards.

There are many SDOs and these SDOs are not only in the U.S., but are worldwide. They will promulgate standards that are then submitted to be approved either on the national level, and when they are done nationally in the U.S., they are certified by ANSI, the parent organization of ANAB. Or, they can be submitted to the international group, ISO. Various government agencies certainly set standards, and many more people.

[Slide 16]

This graphic gives you a sense of some of the different standards that are out there. Quite frankly, new standards are being promulgated all the time. I have just finished being on a technical committee developing some standards in the area of business continuity planning for the United Arab Emirates. One of the most respected set of standards in the world are actually coming out of New Zealand and Australia, and they have just recently released their set of standards. There are some well respected standards coming out of Singapore.

There are many, many standards, and this is why this gets complicated and confusing. There are so many people that are promulgating standards, the ability to manage all of this process and do it in a clear and concise manner is quite challenging and I think it explains to a large degree some of the issues that DHS and FEMA have been dealing with for the past few years in an effort to bring this program out in an unified and understandable manner. They are really dealing with many different constituencies and a whole rash of different standards that are out there.

This is the home page for ISO, the International Organizations for Standardization. If you haven’t spent any time looking at the ISO website, that is time well-spent. You’ll see on that site about new committees that are being developed. Quite frankly, ISO, the last number I saw was somewhere in the area of 14,000 different standards they are trying to manage internationally.

They are trying to provide oversight and quality control.

There are many, many standards. There are everything from manufacturing standards, to materials—there are actually new standards coming out right now in the area of societal responsibility and ethics—very fascinating topics. If you haven’t spent any time there, I suggest you go to the ISO website. You’ll find it very interesting and intriguing.

[Slide 17]

Let’s move on to the next slide that talks about how it works. We’re going to go through this rapidly. This again is a bit of animation. We have an international group of accreditation bodies. It turns out that every one of the developed countries has an organization like ANSI - ANAB in place, which is their accreditation body. All of these organizations belong to something called the International Accreditation Forum (IAF), and they signed the Multilateral Recognition Agreement (MRA).

Why is this important? It is important for the simple reason that it says that this peer reviewed organizations, this group of bodies, maintains the very highest standards, and these standards are common across all the countries. If it turns out that at some point in time you decide you have an operation in another country, and that it is easier for you to have that organization certified by the local or indigenous accreditation body, ANAB, which is a signatory of this Multilateral Recognition Agreement, will recognize that certification, and vice versa.

Anything done in the U.S. will be recognized by people in the U.K., or in Japan, India, or any of the other countries that participates in this. As we begin to animate, we see that this is a peer review operation. As we advance to the next part, these are the individual accreditation bodies. These are the national bodies that go through the certification. This is where our organization, ANAB, comes into play.

ANAB is an accreditation body. In the United Kingdom, it is called UKAS—the United Kingdom Accreditation Service. Sometimes it is called an accreditation body and sometimes it is called an accreditation service. Animating to the next step, they in turn work with the certification bodies and registrars. Those are terms that are used.

Some people call them Lloyd’s Registrar, which is a division of Lloyd’s of London. Others call themselves certification bodies. These are independent firms that hire the auditors and have a number of different standards. By the way, those standards are ones that ISO puts on them, in terms of training, maintaining independence, dealing with questions of someone who is unhappy with the findings, just a whole variety of areas. The entire operation is managed through a series of different ISO standards. It is a very well regulated process.

As we advance to the next part of this, those certification bodies and registrars, in turn, are the ones who deal with the actual end clients and deliver the certification. If you will, the authority for the certification bodies to go out and grant a registration or certification comes from a national accreditation body. That national accreditation body is then recognized internationally through a peer review process by the other national bodies around the world. That’s really how this whole process works.

[Slide 18]

On the next slide we have an image of the ANAB home page. Again, it’s a place where if you haven’t spent any time there, I suggest you’ll find it very interesting. Listed there in the bullets, you’ll find the different ISO and other standards that ANAB is currently involved in. You can see that ISO 9001 quality management leads the pack, followed by ISO 14001 environmental standards and then information security, etc.

This gives you a sense of what ANAB is doing. New standards are being promulgated all the time. About midway through, you’ll see ISO 28000. This is a new initiative that has been put in place that recognizes the challenges of managing a supply chain. That’s a quick one on that.

[Slide 19]

As you go and dig deeper into these website you’ll see display like on this slide, which says, "Scope of Expertise" which will indicate what are the standards that different registrars and different certification bodies support. When you go to choose someone, you look for the area you are interested in. You look down the column and you see who is available to provide you with capability in that area.

[Slide 20]

I want to make sure you don’t confuse the term "standards" with "methodology". These terms are sometimes used interchangeably. They are not interchangeable. Standards tell you what to do. Methodology tells you how to do things. For example, in the business continuity area, the two leading people offering, although not the only ones offering methodology in this area, are the Disaster Recovery Institute International and the Business Continuity Institute, which is a U.K. based organization.

They have a methodology, a manner, in which you go ahead. As long as the methodologies meet all the requirements of the standards, you are free to use them. Many organizations will develop their own methodologies to meet the needs of the standards. So, standards tell you what to do. Methodology tells you how to do them.

[Slide 21]

What you’ll see here is a combined governance risk compliance and security model which is beginning to gain favor. This is the one our organization particularly uses. It really does touch on all the elements of all the standards.

Let’s now move to the controversy. Let’s move through the controversy slide to the one that shows us two globes and the various standards that the Department of Homeland Security finally selected and officially announced in that letter from Secretary Napolitano in June of this year. There really four that are out there—BS25999 (British Standards), 2007 version, SPC1, which comes from the ASIS organization, and that stands for Security Preparedness and Compliance, 2009, and then two version of NFPA1600, both the 2007 and the 2010 version of the standard.

[Slide 22]

As the next slide shows, comparing and contrasting are really a comparison of apples and oranges. There really are some differences. My recommendation to understand these is looking at something called the Sloan Report. The Alfred P. Sloan Foundation funded a research project to really compare and contrast all the different standards that were available. Three of the four are covered in this particular document. The one that was not in existence at that time was the NFPA1600 2010 standard. The other three are completely covered.

As this slide will show you, which is actually a photo shot taken of the framework for voluntary preparedness—it not only compares and contrasts those standards, but it compares and contrasts them against other best practices and industry specific guidelines. So if the Joint Commission has a set of standards for the operation of a hospital, or the FCC has standards for the operation of broker/dealer, or the Federal Reserve has operations for banks, this document will actually give you a crosswalk that will compare and contrast all of those elements against each other.

I think it’s one of the most valuable documents anyone can become familiar with who is interested in the PS-Prep Program.

[Slide 23]

This gives you a list of different reference material. This is designed to augment the material the EM Forum is providing you with in showing you where you can actually download it:

and then the standards themselves,

[Slide 24]

I’ve put together a little side by side comparison here. I invite you to take a look at that and if you have any questions, please feel free to contact me and I’ll try to expand on any comments that are made. It’s entitled "A Simple Comparison". It really is simple. It is not designed to take the place of the Sloan Report—it is designed to give you a high level sense of the difference between these.

[Slide 25]

Moving on, the short hand version of all of this can be summarized in three bullet points, which is—the real strength of the NFPA 1600 2007 and 2010 versions is that it is really focused on emergency management and crisis control. It speaks directly to the use of the NIMS system and the Incident Command System.

British Standard 25999 is really a business continuity focused element, and that’s not to say that elements in all of these standards can be used to cover everything. But if you look at where they really put their emphasis, NFPA 1600 is focused on emergency management, BS 25999 is focused on business continuity, and SPC1 is really focused on operational preparedness.

As I mentioned, there are other standards coming. In fact, I worked on a committee that is promulgating a new standard temporarily called BCM1, which will be submitted to ISO for their approval at some point in time. That will be out for public comment in the near future.

[Slide 26]

Part of the reason that DHS was forced to choose more than one standard is that no one standard met the needs of everyone. These bullets give you an indication of some of the issues that are missing from one or more of the standards. As I mentioned, emergency management and in particular, the Incident Command System, which is widely adopted throughout North America is addressed specifically in the NFPA 1600 series of standards. It is not really spoken of in BS25999. That is an area where 25999 might be considered a little deficient.

On the other hand, the bottom line dealing with spoliation and chain of custody, control of vital documents, is something that none of the current standards speak to. I think some of newer standards that are going to come out will speak to this.

In the world of "e" discovery, we’re being able to forensically demonstrate that no one has tampered with the email or other kinds of electronic documents—that’s a very important issue, and one that is the responsibility of the continuity planner—to maintain not only the records, but to maintain them in a manner that they can be taken to court and be demonstrated to be forensically accurate.

[Slide 27]

Here is one of the other areas of controversy—what do we do about smaller firms? This is an area of active discussion. There are some subcommittees in place right now dealing with this particular topic. How do small businesses and small firms deal with the question of the expense of having an audit performed?

This is where the issue of first and second party certification comes into play. In particular, if I were a betting man, I would guess that the first party self-assessment is going to play a role in this particular issue. It will be something that will allow smaller businesses to go through some kind of an evaluation and make a self-declaration about their preparedness in the area of business continuity and planning.

[Slide 28]

As I alluded to before, this is a topic of interest to executives. Even Boss Hog would have found this topic of PS-Prep to be of interest because it really gets to the essence of a business when you look at it strategically. I’ve given you six comments that I think from my discussions with people—these six topics that are really coming to fruition as the core of the business case to be made.

I assure you, if you mention these six words to any executive in a sentence, "PS-Prep deals with the issues of governance, risk management, compliance, liability, valuation, and the supply chain", you will have their attention. These are the issues that executives spend their time on. This is the really the essence of where a business case can be made.

[Slide 29]

The other area of this sometimes referred to as GRC (Governance, Risk, and Compliance)—if you Google that particular topic, you’ll get over 11 million hits on this topic. It is something that is growing. The Forester Organization, which is a think tank, indicates that this business area is going to undergo significant growth. This is really right square where PS-Prep is located. It is dealing with the issues of governance, risk and compliance and is really tied into this business.

I’ll move through this quickly in the area of regulations. We know the procedures and regulations apply to everyone, and here is the challenge—both small and large companies are faced with the same set of compliance issues. That is why compliance is such a hot topic.

[Slide 30]

I’ll put out this little pop quiz, or rhetorical question which is—who do you think will decide if you have a good plan? Who will decide if you have liability? The answer is actually "D". It is not the shareholders or board of directors or regulators. It is actually the courts that will decide it. It is Judge Judy who will decide whether or not you have any liability and if you’ve met the standard of care. This is why it is so important at an executive level for organizations to understand the role that PS-Prep can play in this area.

[Slide 31]

We’ll talk a little bit about a landmark case that took place. The interesting fact is on this particular case is that the final determination of the Court of Appeals in New York was that in the very first World Trade bombing, the Port Authority of New York, which was considered to be a landlord, was found to be 68% responsible for the attack, and the terrorists only 32%. The reason being that anybody who is more than 50% at fault can be held fully liable for the financial roles here.

The point is that the courts are very interesting organizations, and we really don’t know how they’re going to interpret a law. The role of the federal register is the place where the federal government makes public disclosures. In the lack of a lot of precedence, courts may look to statements and publications made in the publications like the federal register as an indication of what the standard of care should be, and what the standards are that people should hold to, and again, another reason why the PS-Prep program, which has been discussed in the federal register, must be taken seriously by executives.

[Slide 32]

The next graphic talks about the impact of evaluation. This is the result of a study that we go over in the class they teach at Boston University which shows the impact on share value of having a business continuity plan or not. The point is that when this particular study was stretched out where it compared companies in the blue that actually had a continuity plan versus those who did not, after a three year period of time, there was between a 33% and 40% difference in the value of share price of companies that had a continuity plan.

The market rewarded them for having a business continuity plan and reacting quickly and effectively to a crisis. It punished those organizations that did not.

We’re moving to resiliency and credit rating. This is something that has been called out for, an the Standard and Poor’s has made a statement in this area. Public Law 110-53 has actually spoken to the issue of the role of credit rating agencies and insurance agencies in providing support for the PS-Prep program.

The last issue is supply chains, and this is an area getting a lot of attention as people look at moving forward with building the business case with PS-Prep. The next graphic asking "How resilient is your supply chain?" shows that supply chains, because of the attenuated nature of them, a failure in any one point can have a rippling effect up and down the supply chain, and the failure of any one key supplier can dramatically effect someone’s business.

This is an area that is getting a lot of attention. Resiliency and questions about how prepared are organizations are being extended not only to the particular company, but to their supply chain. As the next graphic shows, even companies we all come to depend on, like Wal-Mart, can suffer terrible damage and destruction in various crises.

[Slide 33]

I’ll move on to the next slide here which is entitled "Don’s Definition of Resiliency and Business Planning". I just like to say when you speak to executives that you talk about the continuity plan, the preparation plan, the PS-Prep program, in some sense, is really the shock absorber for your business.

[Slide 34]

We’ll go on to say that resiliency, under another definition can be said to be something that is that quality that if a disruption occurs, it is transparent to your clients and other stakeholders, then your organization is resilient. You may have problems going on, but if it is transparent—if you’re able to hold it together, if you’re able to meet your various RTOs and RPOs, to speak in the language of business continuity planners for a moment, then you are, in fact, a resilient organization.

[Slide 35]

The next slide says we have one last concept to touch on. I’ll touch on it very briefly. It’s the issue of management systems. I’ll just simply say that the Plan-Do-Check-Act model is one that has been picked up by organizations in the ISO world and now all of the standards (SPC1, BS25999, and NFPA 1600 2010) are all based on management systems.

Management systems grew out of some developments in the quality area. They actually came out of the work of Dr. Deming when he began his work in Japan and led to the revolution in the Japanese economy as they began to move forward.

[Slide 36]

There are eight elements to a management system. I invite you to look at these particular topics. The goal of these is to convey value and confidence to an organization.

[Slide 37]

We are now on to our summarization of the PS-Prep program. It is really a program that is very comprehensive. There is a vast amount of information to go over. I hope this has been something that you feel is worth your greater attention. Hopefully, it equipped you with a little bit of something to say to your executive team. I think at this point we will leave it, and I will end on that note, and invite questions to come our way.

Amy Sebring: Thank you very much Don. Now, to proceed to our Q&A.

[Audience Questions & Answers]

Question:
Alan Berman: Don, you seem to imply that certification under the PS-Prep program will provide some kind of legal protection. However there is no substantiation for this. In October of 2008 the legal panel for HSSP (Homeland Security Standards Panel) said that there has been no record of the defendant or plaintiff using meeting standards as a defense. In fact Intercep has stated that: There is a potential disincentive pertaining to undertaking preparedness certification and the related documentation of preparedness actions undertaken by a company, especially with respect to the identification of risks to the company and its current vulnerabilities. Absent some legal privilege such as attorney-client privilege or work product privilege, documents generated during the certification process could become discoverable and could be used against the company in any future litigation or investigations. That scenario functions as a disincentive to undertaking and documenting preparedness actions. Would you comment?

Donald Byrne: I think that Alan’s comment is exactly right, and I hope I wasn’t misunderstood. I had the issue as legal protection as one of the myths that are being promulgated. I’m very glad you brought this topic up. You do not get protection. On the issue of "discoverable", everything is discoverable, except, as he points out, things that are rendered under attorney-client privilege.

Whether you do a self-assessment or you do any work in the area of preparedness, any of that is discoverable. But that leads to his point that certification does not provide any kind of protection. Actually, to the other point I was trying to make, courts, in the absence of having actual legal cases that have been adjudicated, which give us a better understanding of what all of these things really mean, could be seen to look to publications in the federal register as indicating what standard of care would be anticipated.

It’s sort of a "cat’s out of the bag" already. I am not an attorney and I don’t play one on TV, but if you speak to attorneys, they will tell you that it is not unknown for courts, in the absence of precedence, to look around at public disclosures made by organizations, such as the federal government, that indicate what the standard of care could be, and then interpret what those statements are to indicate what someone should be doing.

I agree with Alan’s comment. I’m sorry if I didn’t get that across. I put forth the idea that legal protection is one of the myths that is promulgated around PS-Prep. PS-Prep does not provide you with any of that protection.

Question:
David Kondrup: If a company fails a PS-Prep Audit, do you see a market for firms to do a Corrective Action Plan or prepare to pass a re-audit?

Donald Byrne: The answer is yes. Of course, when you go through an ISO audit, the goal of the auditor (and this is actually taught) is to find the company in compliance with their standard. It is not as adversarial a relationship as one might anticipate. Secondly, companies can have minor problems, which are called minor discrepancies, minor nonconformities is the technical term, and be given the opportunity to cure or correct those within a timeframe.

They can also be issued a provisional certification in this area. If they have a major nonconformity, they can address that issue and come back and ask to be re-certified. Generally, if you go through this before you go through any of this work, it is advisable to have someone who is knowledgeable in this area—a consultant, or someone else—really help you go through this.

What we’ve found in the audits we’ve been involved in—and I’ve been involved in some of the 25999 audits that are sanctioned by UKAS—that organizations are sometimes hard to determine what their shortcomings are. You really need an outsider to provide you with some of those insights.

Question:
Steve Hauser: Is there any expectation that companies will need to be certified under more than one of the three standards?

Donald Byrne: It’s a very good question, and generally, the feeling seems to be that you will choose one of the standards. It is more than sufficient. The only case that I’ve seen in discussions I’ve had with people is if there are particular international operations which might be better handled through one of the other standards, they might move to do that. That is really less than a 1% probability. You’ll choose one standard and follow that one standard, and that is more than sufficient.

Question:
Janice Banks: When do you think certification body criteria and training will get started? What organization will provide training and certification to independent private businesses?

Donald Byrne: We’re hoping, and in public statements made by ANAB, that they are very close to releasing the criteria, what are called the accreditation rules to be made available, which will then allow the process to open. They will begin offering to certification body registrars the option of applying for accreditation in this area. That is expected to take place in October.

In parallel, what will have to happen, is that courses that would be approved by ANAB to provide auditor training will be announce. There is some indication (can’t guarantee) that ANAB, acting on behalf of the industry, will make available in some public area, such as a website, a list of organizations that are credentialed to offer these particular courses.

Question:
Amy Sebring: How much does an audit typically cost?

Donald Byrne: It’s interesting—what I think we’re all familiar with is going back to the ISO 9000 experience—what we understand about ISO 9000 is that many organizations limit the scope of the audit and the certification to one or two particular areas of operations. For example, in a manufacturing operation, you might limit it to the manufacturing or customer service line. It is unlikely that you would ask for a ISO quality audit for your HR or finance department.

The number one question you have to determine is—what do you want? What is the scope? What is the area? What are the processes you want to see covered in this particular audit? Given that, I can say that there are some very large organizations that have gone through similar audits recognized by other national accreditation bodies (in particular, the United Kingdom one) where you take a very large international bank which had an 11 person department certified. That was sufficient for their particular needs.

The number one question is the scope you have to go through. Generally, you’ll find that an audit will try to take place between—it’s a minimum of two days, and more likely five days or more, depending on the size and scope. Assuming that the auditors are competitive with the other price points in the market, you should anticipate paying $1,200-$1,500/day plus expenses for an auditor to come in.

There is some preliminary work in it, so you’re looking at the low end of maybe $5,000. I am aware of audits that have gone into tens of thousands of dollars. What is more significant, however, is the issue of what it takes to be prepared for it. I have seen it that the consulting efforts surrounding audits range anywhere from five to ten times the actual cost of the audit. If you are paying $5,000 for an audit to take place, it could cost you $20,000-$30,000 to be prepared for it.

Question:
Bob Fletcher: There is clear competition among the SDOs and other supply chain contractors (trainers, assessors, consultants, suppliers) who stand to benefit from being in the PS-PREP certification process. How does ANAB ensure transparency to ensure that no entity gets preferential treatment in terms of early access to information, opportunities and that there is no conflict of interest among the various pieces? e.g. SDO members consult in PS-PREP process, build standards, train on how to comply, assess compliance and provide remedial services to accomplish certification

Donald Byrne: That is an ANAB question and I can’t speak on behalf of ANAB. I can tell you that the committee has been active with representation. I was not involved in choosing who was represented. It seems to me that there was at least one representative from most of the major areas, or the major groups that were involved with the process over the past more than 12 month period of time. It’s a good question and an important question, but one better directed to ANAB than me. I can’t speak on their behalf. I’m just a committee member. I don’t know the inner workings of their operations.

Question:
Amy Sebring: You mentioned various approaches to the question of the small businesses. Is DHS expected to come out with some kind of recommendation on that or resolve that in some timeframe this year?

Donald Byrne: Again, the question is better directed to them. I consider that I know DHS and FEMA take very seriously the challenge of dealing with smaller businesses. There are a number of different groups that are looking at how to deal with that particular issue. The two sort of unresolved issues for the PS-Prep Program is the one you’ve just articulated, which is small businesses.

The other one is how to work in a collaborative manner with the regulators from the 18 different infrastructure areas. I know that time, energy and effort is being spent on methods of doing that. If you listen to the pundits, the pundits will tell you probably some kind of self declaration will play a role in what is done. But we don’t know for sure. We won’t know until DHS comes out of an area, but we certainly have entertained that as an approach. Whether that will come true or not, only time will tell.

[Closing]

Amy Sebring: Time to wrap for today. Thank you very much Don, we appreciate your taking the time to be with us today and share this information. Again, here is Don’s contact information if you would like to follow up with him directly.

[Slide 38]

Also, Don will be in the Washington D.C. area during October 19th, doing another presentation on PS-Prep for the ACP Chapter there, and you can find further information about that event on the ACP Website.

Now PLEASE take a moment to do the rating/review! I am going to load the rating/review form into Live Meeting so you can complete it on the spot. Note: We are asking you to rate the relevance of the information, and this will assist us in our future programming.

We are pleased to welcome a new partner today, the British Columbia Association of Emergency Managers, represented by Lynn Orstad, Vice President. Lynn has been a participant with us for many years and we are very happy to welcome them. The mission of BCAEM is "to work with federal, provincial and local governments, First Nations and Aboriginal Peoples, the business community, public agencies, volunteer association and other non-government organizations, to enhance the provision and delivery of integrated, effective emergency management programs for our communities in alignment with the principles and response goals of the British Columbia Emergency Response Management System."

If you organization is interested in becoming a partner, go to our home page and click on the link for "Our Partners."

Again, the recording should be available later this afternoon. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.

If you were with us last time, you may have noticed our program today changed from what was announced (Planning Guidance for Nuclear Detonation). We are in the process of trying to reschedule that program for later on. Our next Forum will be October 13th, same time, same place. Please make plans to join us then.

In the meantime, thanks to everyone for participating today and have a great afternoon. We are adjourned.