[an error occurred while processing this directive]

NFPA 1600 or BS25999?
...Why Not Both?

by Stacy Gardner

As new, or revisions to existing, business continuity standards continue to be released in an attempt to uniformly and comprehensively define the core components of a successful business continuity program, efforts to definitively establish the best standard grow to a clamor. However, marketing campaigns, some misinformation and a lack of understanding all fuel a complex – and unnecessary – debate on which standard is best. Although there are dozens of standards available, the purpose of this article is to offer an unbiased summary of the similarities and unique features of two leading standards, NFPA 1600 (v2007) and BS 25999-2, in order to show how each offers valuable approaches that can help organizations determine strategies and program management processes that best fit their organization. When considering which standard(s) best fit an organization, business continuity professionals should consider any and all standards that may be applicable and valuable.

As a standard first released by the National Fire Protection Association in 1995, NFPA 1600 should be familiar to many business continuity professionals. Though NFPA 1600 was initially focused on disaster response, it was modified in 2000 to include “total program planning” and has been revised twice since then, with new versions in 2004 and 2007. The 2010 edition of NFPA 1600 is in development and a draft should be available by year-end. As it stands today, NFPA 1600 is a high level standard that defines the essential elements of an emergency management and business continuity program. Consistent with its intent to be high level, NFPA 1600 does not prescribe in detail how to address each element. Additionally, the standard is written using “required” versus “recommended” to enable government jurisdictions and other entities to adopt the standard; however, as a voluntary standard, it is only mandatory for those entities choosing to follow it.

In comparison, BS 25999, a business-focused planning standard (adaptable to the public sector), is largely viewed as an “umbrella” standard that allows organizations to integrate content from other standards into what is called a “Business Continuity Management System”. The BS 25999 model, intended to be an ISO standard in the near future, was designed by the British Standards Institution (BSI) to integrate various business continuity-related risk management disciplines together under common management and oversight. As BS 25999 is relatively new, it is just beginning to catch the attention of organizations. BSI published Part One: Code of Practice in 2006 and published Part Two: the Specification in late 2007. Part One describes the “what and how” of a Business Continuity Management System, whereas Part Two outlines objective criteria to evaluate a program (possibly for certification). Similar to NFPA 1600, BS 25999 is a voluntary standard and is only mandatory for those entities choosing to follow it or those seeking BS 25999 certification.

Main Focus of the Standard
NFPA 1600 is applicable to public, not-for-profit and private sector entities. It establishes a common set of criteria for a disaster/emergency management and business continuity program. It also provides the criteria to develop, implement, maintain and assess five main aspects of business continuity programs: prevention, mitigation, preparation, response, and recovery. NFPA 1600 integrates emergency management with key elements of business continuity, including conducting a business impact analysis and risk assessment, to understand and address vulnerabilities to critical areas within an organization. A main goal of NFPA 1600 is to protect people, property, and the environment, along with the business enterprise, in compliance with laws and regulations that dictate organizational preparedness.

BS 25999, in comparison, focuses on analyzing and understanding the business or organizational mission, and then developing a program and underlying management system to meet requirements. Though the organization’s requirements will differ by entity, it is assumed they will include protecting and recovering core assets and continuing the delivery of essential services. BS 25999’s “Plan-Do-Check-Act” model is consistent with ISO standards. Particularly, BS 25999 mandates defining policy mandates and objectives for business continuity that support implementing and maintaining controls to reduce and manage an organization’s overall business continuity risk, as well as meet the organization’s strategic obligations. While BS 25999 may not specifically and thoroughly address certain elements of risk management (e.g. emergency response, insurance and security), it is written to integrate with other standards that emphasize elements such as these more clearly. BS 25999 also provides particular emphasis on defining a management system, mandating continuous leadership involvement and decision-making, “tying together” the various components of traditional business continuity-related programs. Other areas of emphasis include document management and controls to not only verify that the program meets its goals but also works toward continual improvement based on objective measures.

Program Management
Both standards necessitate developing a policy to guide the direction of and requirements for the business continuity program, as well as defining management involvement and the personnel to oversee and implement the program. Both standards also advocate using documented plans and procedures, with auditable evidence, to manage the business continuity process.

NFPA 1600 requires appointing an advisory committee, as well as a program coordinator, to oversee the “preparation, implementation, evaluation, and revision of the program”. The standard also requires defining an executive policy, program goals and objectives, program plan and procedures, performance objectives, budget and project schedule, periodic evaluation, and records management practices. It also requires the evaluation of program plans, procedures, and capabilities through periodic reviews, testing, and exercises, with corrective action taken to address identified deficiencies. Reviews include actions such as post-incident critiques, lessons learned and performance evaluations.

Similarly, BS 25999 specifically calls out establishing and demonstrating management’s commitment to the business continuity management policy through a steering committee function and associated documentation to enhance repeatability. It also states that management needs to appoint an individual to claim overall responsibility for the program, as well as assign one or more personnel to manage day-to-day activities. Management reviews, as well as independent (internal) audits of the program’s performance, are emphasized to create visibility and highlight opportunities for improvement. Although both standards call for periodic review and evaluation of the policy, only BS 25999 states that the policy shall be formally approved by top management and communicated to all persons working for or on behalf of the organization.

Risk Assessment, Prevention and Mitigation
Both standards acknowledge the importance of identifying and analyzing threats and vulnerabilities to operations and activities, determining the likelihood of their occurrences and monitoring the hazards. NFPA 1600 specifically requires assessing the vulnerability of people, property, and the environment from “all hazards”, defined as natural, man-made, and technological (calling out specific hazards as examples). NFPA 1600 includes requirements for prevention and mitigation, which focus on preventing an incident that threatens people, property, and the environment and limiting or controlling the consequences, extent, or severity of an incident that cannot be reasonably prevented. The strategy shall be based on program constraints, operational experience and cost-benefit analysis.

BS 25999 focuses more on understanding the impact on critical activities rather than the cause, with emphasis on assessing current-state risk treatment viability and possible enhancement opportunities. BS 25999 also states that business partner and supplier risks should be analyzed, and if a risk cannot be mitigated effectively, it should be formally accepted by the organization.

Business Impact Analysis
NFPA 1600 and BS 25999 both incorporate conducting a business impact analysis to understand the potential impacts of outages. NFPA 1600 extends the impact analysis beyond business to include analysis of the impacts of hazards on the health and safety of people, property, facilities, infrastructure, and the environment, while BS 25999 focuses on fully understanding what is critical to core operations, including underlying infrastructure, resources and third-parties.

Both standards state that resource management objectives should be established to ensure that the program is appropriately funded, staffed and equipped, and that personnel are trained and have the knowledge to maintain the program. NFPA 1600 necessitates that the entity identify the resource capability shortfalls and the steps necessary to overcome any shortfalls. NFPA 1600 includes requirements for logistical support for the program including procedures to identify, request and track resources, as well as activate, dispatch and deactivate these resources during an incident. NFPA 1600 also addresses mutual aid.

Plans and Procedures
Both NFPA 1600 and BS 25999 define the structure and content of plans. Key content includes objectives, roles and responsibilities, activation criteria, authority to declare and manage an incident, resource requirements, alternate work locations, communication capabilities and strategies for both internal and external stakeholders, and response and recovery processes. Both standards also state that plans need to be available to those who are responsible for implementing them. BS 25999 states that plans should have identified plan owners responsible for reviewing, updating and approving plans to ensure accountability and maintenance. NFPA 1600 places this responsibility on the program coordinator “to administer and keep current the program”, whereas BS 25999, recognizing it is often decentralized in many organizations, does not state definitively where this responsibility resides.

NFPA 1600 specifies that the program shall include a strategic plan, emergency operations/response plan, prevention plan, mitigation plan, recovery plan and continuity plan. Rather than defining multiple plans, BS 25999 only specifies that plans “outline how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.”

Incident Management
NFPA 1600 requires the entity to develop an incident management system to direct, control and coordinate response and recovery operations, which must be guided by an incident action plan or management by objectives. The incident management system should enable an organization to respond to any event or outage not mitigated through incident prevention and mitigation.

BS 25999 similarly requires the organization to “define an incident response structure that will enable an effective response and recovery from disruptions.” Further it states that that each “team should have plans, processes and procedures to manage the incident and these should be supported by business continuity tools to enable continuity and recovery of critical activities.” Additionally BS 25999 stresses and requires a “Preventive Action” plan to promote “detection” rather than “reaction”.

NFPA 1600 and BS 25999 recognize the importance of training and education, focused on awareness and enhancing knowledge and skill in each individual’s role in response and in developing a strong business continuity program. Both also acknowledge that training must occur on a periodic basis to ensure the information is fresh and current, and that training records must be kept for audit and regulatory purposes. However, BS 25999 focuses significantly more on verifying personnel are properly trained, including analyzing training needs and documenting records that verify that the necessary competence is reached.

Both standards also state that organizations should conduct regular, planned and documented exercises to verify that program elements meet stated business objectives, as well as familiarize personnel with the response process. Both standards advise testing part or all of the program frequently, whether it is individual elements or the entire program as a whole. Both also state that lessons learned meetings and post-exercise program element reviews should occur, with key findings incorporated into plan updates and future planning scenarios.

BS 25999 asserts that the testing program should be approved by top management and vary the scenario scopes. It also dictates that exercises should be planned to prevent causing a true outage and, following the exercise, a written report should be submitted to management.

Documentation and Records
While NFPA 1600 states the importance of records management practices, BS 25999 focuses significantly on this area (to provide evidence of management system performance over time, in anticipation of organizational certification). Specifically, all critical elements of the business continuity program should have procedures specific to documenting the existence, maintenance and effectiveness of these elements. Procedures should also be documented to define the controls monitoring the records management process to ensure the documents are easily identifiable and retrievable, approved before use, reviewed and updated as necessary, and that revisions are tracked, distribution is controlled and obsolete documents are destroyed.

Though each standard has unique components and approaches, both recognize key elements within business continuity. There are a number of factors planners should consider when deciding which elements in each standard best fit their organization’s culture. NFPA 1600, first developed in 1995, has been heavily utilized in government and public entities (as well as many private sector entities) for over a decade and is considered one of the leading standards in the United States. BS 25999, in comparison, is quite new, though it was designed to be internationally applicable.

NFPA 1600 defines program elements for emergency response and business continuity based on the results of an “all hazards” risk assessment and impact analysis. It includes requirements for prevention and mitigation. NFPA 1600 has been approved by ANSI as an American National Standard, has been endorsed by the 9/11 Commission (2004) and noted as an example standard in Public Law 110-53 (Implementing Recommendations of the 9/11 Commission Act of 2007). In 2005, it was adopted by the US Department of Homeland Security as a best practice. It is one of the standards being evaluated for use as the criteria for certification or accreditation of private sector preparedness in accordance with Title IX of Public Law 110-53.

BS 25999 is designed as an international management system for business continuity, heavily focused on the understanding of organizational processes and addressing any risks that threaten the continuity of critical activities. As BS 25999 is currently the only auditable and certifiable business continuity management system, organizations can have their business continuity management program certified to BS 25999, which could be beneficial to those companies looking for market differentiation, customer reassurance, compliance with regulatory requirements, or answers to board inquiries regarding operational risk. Like NFPA 1600, it is one of the standards being evaluated for use as the criteria for certification or accreditation of private sector preparedness in accordance with Title IX of Public Law 110-53.

While there is an impressive “battle” raging on which standard is best or most all-encompassing, continuing this argument only distracts organizations from reaping the benefits each standard has to offer. This article is written to help readers understand, at a high-level, the purpose, intent and content of two leading and often-compared standards, not to recommend one over the other. Most organizations would benefit from leveraging and applying the content from multiple standards to improve business continuity readiness. As a result, business leaders and business continuity program managers should consider the recommendations of all available standards to identify the most applicable and appropriate strategies for their organizations.

About the Author
Stacy Gardner (CBCP) is a consultant with Avalution Consulting. At Avalution, Stacy has worked in a variety of industries to help clients develop and enhance their business continuity programs. Stacy focuses exclusively on Event Risk and Business Continuity Management (BCM), specifically program definition, risk assessment, business impact analysis, strategy definition, plan development, testing, training and program maintenance. Stacy also has extensive knowledge on pandemic preparedness and planning. Stacy may be reached at stacy.gardner@avalution.com.

A special thank you to the following individuals for their substantial assistance in ensuring this article is as complete, unbiased and comprehensive as possible: John DiMaria, BS 25999 Product Manager, BSI Management Systems; Don Schmidt, Technical Lead, NFPA Technical Committee on Emergency Management and Business Continuity; Peter Shebell, Standards Policy Manager, the U.S. Department of Homeland Security; and Dr. Marc Siegel, head of the ASIS International Global Standards Initiative.

[an error occurred while processing this directive]