A Missing Link Between Business Resilience & Incentives?
A New U.S. Law and Corporate Preparedness

by William Raisch

A much needed link between good practice in corporate preparedness and bottom-line incentives for businesses may be in the offing.

This could significantly advance resilience in corporate priorities. The new U.S. legislation calls for the establishment of a voluntary private sector preparedness certification program for American businesses. The certification program could create a method to facilitate greater acknowledgement of preparedness by the insurance industry, rating agencies, legal community, supply chain management arena and others. Vital to the success of this program will be early and active stakeholder involvement by both the general corporate sector as well as key players in the incentives community.

The Law
The legislation was signed into law on August 3, 2007. It is entitled ‘‘Implementing Recommendations of the 9/11 Commission Act of 2007,’’ but it is not just about counter-terrorism and national security. Title IX of Public Law 110-53 calls for the creation of a new program targeted at “all-hazards” business emergency preparedness and continuity.

The new legislation requires the U.S. Department of Homeland Security (DHS) to provide for the development of a private sector voluntary certification program for all-hazards business emergency preparedness. This program is to be developed in consultation with key stakeholders reflecting existing best practices and standards. The full text of the law is available at: www.govtrack.us/congress/billtext. xpd?bill=h110-1&show-changes=0

Key Points of Title IX
1. The goal of the legislation is to provide a method to independently certify the emergency preparedness of private sector organizations. It includes their disaster/emergency management and business continuity programs. The program is to certify businesses and other private sector entities, not individual professionals. The focus is on all-hazards preparedness and not on terrorism.

2. The program is to be voluntary. Businesses will decide whether or not they wish to obtain certification of their organizations’ preparedness, likely based on what benefits they see in such certification.

3. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a variety of private sector advisory groups and others.

4. The federal government will not run the certification program. The program will be administered outside of government by third party organizations with experience in accreditation and certification programs.

5. One or more preparedness standards can be designated. NFPA 1600 is referenced as one example. The law calls for the adoption of “one or more appropriate voluntary preparedness standards.” It further states that “The term ‘voluntary preparedness standards’ means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as…ANSI/NFPA 1600.’’

6. Existing industry efforts, certifications and reporting in this area will be recognized and integrated. The legislation requires that the program consider the unique nature of various groups within the private sector, including current preparedness certifications and reporting as well as existing initiatives by other federal agencies. The legislation specifically calls for existing certification efforts to be acknowledged to avoid duplication, where appropriate.

7. Special consideration will be made for small businesses. The program is to establish separate classifications and methods of certification for small business concerns.

8. Proprietary and confidential information is to be protected. The administration of the program outside of government by a third party, non-governmental agency and requiring any certifying body to enter into a confidentiality agreement with the company to be certified will protect sensitive information.

Key Responsibilities of the U.S. Department of Homeland Security
The federal government has four basic tasks in establishing the program:

1. DHS will designate one or more organizations to act as the accrediting body to develop and oversee the certification process, and to accredit qualified third parties to carry out the certification program. This decision is independent of the actual standards to be utilized in assessing preparedness and likely will focus more on capacity to manage and support the accreditation process.

2. DHS will separately designate one or more standards for assessing private sector preparedness. The standards may be tailored to specific sectors and must accomodate separate considerations for small businesses.

3. DHS will provide information and promote the business case for voluntary compliance with preparedness standards. Businesses must be aware of the program and see value in it to participate in the program.

4. DHS will monitor the effectiveness of the program. DHS will annually review the program and must make improvements and adjustments as necessary and appropriate.

Key Considerations Going Forward
The International Center for Enterprise Preparedness (InterCEP) at New York University is the world’s first academic research center dedicated to private sector preparedness and resilience. InterCEP recommended the establishment of the private sector certification program to Congress based upon its active engagement with incentives stakeholders and the corporate community. Several factors below will influence the success of the program.

1. Market-based incentives should be integrated with this certification program. A major rationale cited in the Congressional testimony for the program was the need for a closer link between preparedness and benefits for business. Key stakeholders in such areas as insurance, legal liability, rating agencies and supply chain management have acknowledged that business preparedness is valuable and should be rewarded, but to date there has been no widely accepted methodology to confirm that preparedness exists in a business so that it can be rewarded.

2. Incentive providers must be involved from the beginning in the development of the certification process and its ongoing implementation. The program must be structured so the final assessment is of value to them and justifies marketbased incentives.

3. Businesses and their representative associations must also be involved from the beginning in the development of the certification program and its ongoing operation. Key issues related to the certification program that should be addressed include but are not limited to:

• Potential value of the certification process for internal self-assessment of preparedness activities by the business
• Use of certification as a consistent tool to promote supply chain resilience and to avoid the need for companies to do their own individual assessments of critical suppliers
• Use of certification as a proactive strategy to minimize legal liability post-event
• Use of certification in support of corporate governance and social responsibility activities
• Integration with other business reporting requirements where practical to avoid duplication and potentially integrate divergent requirements under one program
• Potential TRIA (Terrorism Risk Insurance Act) considerations
• Capitalize on existing management system activities where they exist in the corporation to facilitate conformance (e.g., quality and environmental management)
• Assurance that the ultimate program is scalable and of value to small, medium and large businesses.

4. Experience from similar, established voluntary certification programs should be tapped for insights into program development. Historical experience and lessons learned with existing voluntary certification programs could provide insights into the development of the preparedness certification program.

5. In designating one or more preparedness standards for use in the program, a “constellation of standards” should be evaluated. Where there are more than one acceptable existing preparedness standards with significant value to one or more business sectors, consideration should be given to structuring a certification process which accommodates the assessment of the business against one or more standards in a unified framework that acknowledges a common core of program elements and best practices.

About the Author
William Raisch is Director of the International Center for Enterprise Preparedness (InterCEP) at New York University. InterCEP is the world’s first major academic center dedicated to private sector preparedness and resilience. Mr. Raisch was a private sector advisor to the Federal 9/11 Commission which advocated both a voluntary standard for preparedness and market- based incentives to encourage compliance with the standard. Mr. Raisch can be reached at 212.998.2000 or intercep@nyu.edu.