NFPA 1600 or BS25999?
As new, or revisions to existing, business continuity standards continue to be released in an attempt to uniformly and comprehensively define the core components of a successful business continuity program, efforts to definitively establish the best standard grow to a clamor. However, marketing campaigns, some misinformation and a lack of understanding all fuel a complex – and unnecessary – debate on which standard is best. Although there are dozens of standards available, the purpose of this article is to offer an unbiased summary of the similarities and unique features of two leading standards, NFPA 1600 (v2007) and BS 25999-2, in order to show how each offers valuable approaches that can help organizations determine strategies and program management processes that best fit their organization. When considering which standard(s) best fit an organization, business continuity professionals should consider any and all standards that may be applicable and valuable.
As a standard first released by the National Fire Protection Association in 1995, NFPA 1600 should be familiar to many business continuity professionals. Though NFPA 1600 was initially focused on disaster response, it was modified in 2000 to include “total program planning” and has been revised twice since then, with new versions in 2004 and 2007. The 2010 edition of NFPA 1600 is in development and a draft should be available by year-end. As it stands today, NFPA 1600 is a high level standard that defines the essential elements of an emergency management and business continuity program. Consistent with its intent to be high level, NFPA 1600 does not prescribe in detail how to address each element. Additionally, the standard is written using “required” versus “recommended” to enable government jurisdictions and other entities to adopt the standard; however, as a voluntary standard, it is only mandatory for those entities choosing to follow it.
In comparison, BS 25999, a business-focused planning standard (adaptable to the public sector), is largely viewed as an “umbrella” standard that allows organizations to integrate content from other standards into what is called a “Business Continuity Management System”. The BS 25999 model, intended to be an ISO standard in the near future, was designed by the British Standards Institution (BSI) to integrate various business continuity-related risk management disciplines together under common management and oversight. As BS 25999 is relatively new, it is just beginning to catch the attention of organizations. BSI published Part One: Code of Practice in 2006 and published Part Two: the Specification in late 2007. Part One describes the “what and how” of a Business Continuity Management System, whereas Part Two outlines objective criteria to evaluate a program (possibly for certification). Similar to NFPA 1600, BS 25999 is a voluntary standard and is only mandatory for those entities choosing to follow it or those seeking BS 25999 certification.
Main Focus of the Standard
BS 25999, in comparison, focuses on analyzing and understanding the business or organizational mission, and then developing a program and underlying management system to meet requirements. Though the organization’s requirements will differ by entity, it is assumed they will include protecting and recovering core assets and continuing the delivery of essential services. BS 25999’s “Plan-Do-Check-Act” model is consistent with ISO standards. Particularly, BS 25999 mandates defining policy mandates and objectives for business continuity that support implementing and maintaining controls to reduce and manage an organization’s overall business continuity risk, as well as meet the organization’s strategic obligations. While BS 25999 may not specifically and thoroughly address certain elements of risk management (e.g. emergency response, insurance and security), it is written to integrate with other standards that emphasize elements such as these more clearly. BS 25999 also provides particular emphasis on defining a management system, mandating continuous leadership involvement and decision-making, “tying together” the various components of traditional business continuity-related programs. Other areas of emphasis include document management and controls to not only verify that the program meets its goals but also works toward continual improvement based on objective measures.
NFPA 1600 requires appointing an advisory committee, as well as a program coordinator, to oversee the “preparation, implementation, evaluation, and revision of the program”. The standard also requires defining an executive policy, program goals and objectives, program plan and procedures, performance objectives, budget and project schedule, periodic evaluation, and records management practices. It also requires the evaluation of program plans, procedures, and capabilities through periodic reviews, testing, and exercises, with corrective action taken to address identified deficiencies. Reviews include actions such as post-incident critiques, lessons learned and performance evaluations.
Similarly, BS 25999 specifically calls out establishing and demonstrating management’s commitment to the business continuity management policy through a steering committee function and associated documentation to enhance repeatability. It also states that management needs to appoint an individual to claim overall responsibility for the program, as well as assign one or more personnel to manage day-to-day activities. Management reviews, as well as independent (internal) audits of the program’s performance, are emphasized to create visibility and highlight opportunities for improvement. Although both standards call for periodic review and evaluation of the policy, only BS 25999 states that the policy shall be formally approved by top management and communicated to all persons working for or on behalf of the organization.
Risk Assessment, Prevention and Mitigation
BS 25999 focuses more on understanding the impact on critical activities rather than the cause, with emphasis on assessing current-state risk treatment viability and possible enhancement opportunities. BS 25999 also states that business partner and supplier risks should be analyzed, and if a risk cannot be mitigated effectively, it should be formally accepted by the organization.
Business Impact Analysis
Plans and Procedures
NFPA 1600 specifies that the program shall include a strategic plan, emergency operations/response plan, prevention plan, mitigation plan, recovery plan and continuity plan. Rather than defining multiple plans, BS 25999 only specifies that plans “outline how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.”
BS 25999 similarly requires the organization to “define an incident response structure that will enable an effective response and recovery from disruptions.” Further it states that that each “team should have plans, processes and procedures to manage the incident and these should be supported by business continuity tools to enable continuity and recovery of critical activities.” Additionally BS 25999 stresses and requires a “Preventive Action” plan to promote “detection” rather than “reaction”.
BS 25999 asserts that the testing program should be approved by top management and vary the scenario scopes. It also dictates that exercises should be planned to prevent causing a true outage and, following the exercise, a written report should be submitted to management.
Documentation and Records
NFPA 1600 defines program elements for emergency response and business continuity based on the results of an “all hazards” risk assessment and impact analysis. It includes requirements for prevention and mitigation. NFPA 1600 has been approved by ANSI as an American National Standard, has been endorsed by the 9/11 Commission (2004) and noted as an example standard in Public Law 110-53 (Implementing Recommendations of the 9/11 Commission Act of 2007). In 2005, it was adopted by the US Department of Homeland Security as a best practice. It is one of the standards being evaluated for use as the criteria for certification or accreditation of private sector preparedness in accordance with Title IX of Public Law 110-53.
BS 25999 is designed as an international management system for business continuity, heavily focused on the understanding of organizational processes and addressing any risks that threaten the continuity of critical activities. As BS 25999 is currently the only auditable and certifiable business continuity management system, organizations can have their business continuity management program certified to BS 25999, which could be beneficial to those companies looking for market differentiation, customer reassurance, compliance with regulatory requirements, or answers to board inquiries regarding operational risk. Like NFPA 1600, it is one of the standards being evaluated for use as the criteria for certification or accreditation of private sector preparedness in accordance with Title IX of Public Law 110-53.
While there is an impressive “battle” raging on which standard is best or most all-encompassing, continuing this argument only distracts organizations from reaping the benefits each standard has to offer. This article is written to help readers understand, at a high-level, the purpose, intent and content of two leading and often-compared standards, not to recommend one over the other. Most organizations would benefit from leveraging and applying the content from multiple standards to improve business continuity readiness. As a result, business leaders and business continuity program managers should consider the recommendations of all available standards to identify the most applicable and appropriate strategies for their organizations.
About the Author