Standards to Enhance Organizational Resilience: Security, Preparedness, and Continuity Management
By Dr. Marc Siegel

All organizations face a certain amount of uncertainty and risk. In order to maintain resilience, competitiveness, and performance organizations must have a system to manage their risks. The challenge is to determine how much risk and uncertainty is acceptable and how to cost effectively manage the risk and uncertainty while meeting the organization’s strategic and operational objectives. Given the finite resources of organizations, it is imperative that they have business-friendly tools to address any array of threats, hazards and risks they may face. Standards will be playing an ever increasing role in the management of operational risks organizations face.

Since the introduction of the ISO 9001 quality management system standard there has been global recognition of the utility of management systems standards and approaches. Subsequent acceptance of the ISO 14001 environmental management system standard and the OHSAS 18001 occupational health and safety management system standard has been followed by the introduction of additional management system standards including the ISO 27000 information security management system standard and ISO 28000 supply chain security management system standard. This has lead to consideration of an array of management system standards addressing social responsibility, enterprise risk management, security, preparedness, business/operational continuity, etc.

ISO – International Organization for Standardization – published ISO Guide 72:2001 – “Guidelines for the justification and development of management system standards in order support consistent and integrated implementation and operation with related management standards.” One suitably designed management system can thus satisfy the requirements of all these standards.

The integrated approach can help avoid segregating or siloing risks and provides an overall risk profile allowing the organization to better understand the relationships between risks and identify solutions to problems. It leverages the perspectives, knowledge and capabilities of divisions and individuals within an organization. Because of the relatively low probability and yet potentially high consequence nature of many natural, intentional, or unintentional threats and hazards that an organization may face, an integrated approach allows an organization to establish priorities that address its individual needs for risk management within an economically sound context.

What Do Professionals Need to Know About Standards?

• What are Standards?
• How are Standards Made?
• What is Conformity Assessment? (aka. “Certification”)
• Building on Accepted Total Quality Management (TQM) Practices
• PDCA and Organizational Resilience
• Standards to Enhance Organizational Resilience: Security, preparedness, and Continuity Management

Standards assure levels of quality, safety, reliability, efficiency and interchangeability, as well as provide benefits at an economical cost. International standards make trade between countries easier and fairer while promoting interoperability of products, services and processes.

Standards are voluntary. Interested and affected parties and stakeholders participate voluntarily in their development. Use and implementation of standards is voluntary, where organizations may choose to implement all or part of a published standard, or simply use it as a benchmark of best practices. Typically, standards development bodies do not have a mechanism to enforce conformity to a standard. However, standards may become a market requirement where a certain product specification becomes the norm of international business (e.g. bank cards, shipping containers) or a management specification is contractually required (e.g. the ISO 9001 quality management standard).

There are two types of standards. The vast majority of standards provide highly specific criteria for a particular product, material, or process. On the other hand, “generic management system standards” provide criteria for an organization’s management system establishing a number of critical core elements to support how it manages its processes, functions or activities. They are referred to as “generic” because they are applicable to any public or private organization, large or small, whatever its function, products, or services. Complementing these voluntary management system standards are families of standards providing implementation guidance and guides for conformity assessment.

How are Standards Made?
Standardization work is conducted by groups of experts in voluntary technical committees using the defined procedures of the standards development organization. Most countries use a centralized approach with the national standards body coordinating the standards development process. In the United States, a decentralized model is used with hundreds of standards development organization developing standards using processes approved by the American National Standards Institute (ANSI). Regardless of the model, technical committees or working groups are made up of qualified representatives of industry, research institutes, public authorities, consumer and/or professional bodies.

Four principles of standards development are:

• Standards development work is carried out in technical committees comprised of experts from the industrial, technical and business sectors which have asked for the standards, and who will put them to use.
  
• Committees are composed of representatives of organizations interested in or affected by the subject matter.
  
• Committee balance and openness, as well as the processes of impartiality and transparency, ensure that the content of a standard is relevant, credible and broadly acceptable.
  
• Standards development is market driven addressing an identified need.

The standards development process is market driven by stakeholders in the public and private sectors who will put them to use. Service providers may take part in the process; however, the objective of standards development is not to create a market for their services.

What is Conformity Assessment? (aka. “Certification”)
Conformity assessments are the processes – defined by a series of ISO/IEC standards - that are used to demonstrate that a product, service, or management system; or body meets specified requirements contained in standards and guides. The processes that need to be followed to be able to demonstrate that they meet the requirements are also contained in ISO/IEC standards and guides.

Conformity assessment activities can be characterized as:

• First party – conformity assessment to a standard, specification or regulation is carried out by the organization itself. It is a self-assessment with an organization’s self-declaration of conformity.
• Second party – conformity assessment to a standard, specification or regulation is performed by the customer of the organization. The external assessor declares conformity and conformity may be contractually enforced by the customer (e.g., in a supply chain).
• Third party – conformity assessment to a standard, specification or regulation is performed by a body that is independent of the organization that provides the product and is not a user of the product. An independent certification body certifies that another organization complies with a standard, specification or regulation and issues it with a certificate to this effect.

The time-tested and internationally recognized ISO system for conformity assessment has been designed to assure the quality, transparency and integrity of the conformity assessment process. ISO standards provide the principles and requirements essential to avoid conflicts of interest and assure appropriate separation of roles and function of accreditation and certification bodies as well as auditors and consultants involved in management standards implementation.

Building on Accepted Total Quality Management (TQM) Practices
Through a structured and systematic process organizations can manage risk and uncertainty in a proactive fashion, as well as mitigate and recover from unavoidable disruptions. It must be recognized that by implementing appropriate preventative controls and risk treatments an organization can reduce the residual risk of a disruptive event, be it be it natural, accidental, or intentional. However, it is not possible to completely eliminate the likelihood of a disruption. Therefore, effective risk management must address mitigation, response, continuity, and recovery in addition to prevention and deterrence.

Currently, organizations typically have some components of a security, preparedness, and continuity management standard in place that they can build upon; however, in most cases no systematic and institutionalized approach is used in security, preparedness and continuity management. Operational and business resilience is a driving objective of risk-based management.

Too frequently decisions are not based on a systematic risk assessment approach but rather are based on the manager’s expertise, or on external consultants selling specific technological solutions. To be effective and efficient, security, preparedness and continuity management needs to be based on the organization’s core values, business goals, risk assessment, and commitments. All stakeholders in the organization must be integrated into the effort to manage security, preparedness and continuity issues. What is frequently lacking is a clear systematic and documented approach to set measurable objectives and targets; monitor, measure, and evaluate progress; identify, prevent or repair security problems as they occur; train personnel; and provide top management with a feedback loop to assess progress and make appropriate changes to the management system. A security, preparedness, and continuity management system standard makes certain that each of these components is in place to assure continuity and integrity of operations. The implementation process documents an organization’s efforts to achieve compliance with all legal and regulatory requirements and industry best practices. Furthermore, it requires that an organization analyze and make plans for continuity in the event of an incident. It is more than a simple “check box” approach. It establishes a systematic approach for an organization to integrate security, preparedness, and continuity into all its policies, operations and management practices, allowing the organization to demonstrate that it has indeed elevated security, preparedness, and continuity management to an organization-wide priority.

The internationally recognized approach used in the security, preparedness, and continuity management system standards follows the Total Quality Management “Plan, Do, Check, Act” PDCA systems methodology which weaves security, preparedness and continuity decision making into the fabric of an organization’s overall operational and business practices. The PDCA model is sometimes referred to as the APCI Model: Plan (Assess) - Do (Protect) - Check (Confirm) - Act (Improve).

This makes the organization more efficient, more competitive, and better able to meet important challenges. It provides a set of problem identification and problem-solving tools that can be implemented by an organization in many different ways, depending on its activities and needs. By incorporating a dynamic systematic risk-based process into security, crisis, emergency, and continuity management, organizations can make informed decisions tailored to the organization’s facilities, products, services, and functions. As has been demonstrated with environmental, health and safety, and quality management standards, the TQM approach instills an organizational culture that drives continual improvement.

It is important to recognize that effective security, preparedness, and continuity management requires a fundamental cultural change within the organization that includes an acceptance of uncertainty and imperfection. All levels of an organization need to appreciate that risk is inherent in every decision and activity, and that a proportion of this risk has the potential to create disruption. People at all levels of an organization therefore need to consider how they will manage such disruptions to their activities.

ISO management system standards all use a process approach with the PDCA model. ISO Guide 72 established “common elements” for management system standard that can be arranged under the following main subjects:

• policy;
• planning;
• implementation and operation;
• performance assessment;
• improvement;
• management review.

This supports consistent and integrated implementation and operation with related management standards. One suitably designed management system can satisfy the requirements of all the various ISO management system standards.

PDCA and Organizational Resilience
Organizations can integrate security, preparedness, and continuity management into their planning and management processes in order to:

• Understand the environment within which the organization operates
  
• Define the project scope, procedures, roles, responsibilities, and resources
  
• Establish policy with management commitment and support
• Identify critical objectives, operation, functions, products and services
• Define business processes that are essential to the organization as well as its customers and stakeholders
• Risk assessment (including threat and hazard identification; risk, vulnerability, criticality and legal requirements analysis)
• Quantify impacts of disruptive events on critical functions and processes, and identify the infrastructure and resources required to enable the organization to continue to operate at an acceptable level.
• Establish priorities and set objectives and targets
• Develop management strategies

• Develop and implement tactical approaches for operational and control strategies, plans, procedures and programs, including:
  • Establish awareness, competence and training strategies, plans and programs
  • Define roles, responsibilities and authorities
  • Develop internal and external communication strategies, plans and programs
  • Allocate human, physical and financial resources
  • Establish, implement and maintain procedures to prepare for and respond to a disruptive incident
  • Institute processes to ensure information and documents remain current, relevant, and secure

• Conduct performance assessment and evaluation and system maintenance
  
• Conduct internal audits to validate processes and look for improvement opportunities
  
• Establish effective closed-loop corrective and preventive action processes

• Review by top management using the input from above steps
  
• Assess opportunities for improvement and the need for changes
  
• Standardize solutions and define next issues

ISO as well as many national standards bodies around the world are now applying the PDCA model to security, preparedness and continuity management. The objective is to create a standard for organizational resilience that can be integrated with existing management systems to support business friend management of operational risks. Application of the continuous improvement PDCA approach is illustrated in Figure Two on page 30 of digital version of the DRG: http://trendmag.trendoffset.com/subscriptionfee.php?magazineid=1099_2

Two Steps Forward
On the international standards scene there are two recent breakthroughs that leverage familiar management systems tools to address security, emergency/incident preparedness, and business/operational continuity. In November 2007, ISO Technical Committee for Societal Security, ISO/TC 223: Societal Security published the Publicly Available Specification, ISO/PAS: 22399:2007 Societal Security – Guideline for incident preparedness and operational continuity management. The ISO/PAS 22399:2007 is the first international agreement on best practices for emergency preparedness and business continuity management.

In addition, ISO/TC 223 has launched a new work initiative to develop a preparedness and continuity management system standard. This specification standard will provide auditable criteria that address an all hazards approach to security, preparedness and continuity management using a similar systems methodology to other ISO standards; enabling parallel or integrated implementation of supply chain and information security, environmental, health and safety, and quality management systems standards.

In parallel with the ISO initiative, ASIS International (www.asisonline.org) has launched a national standards development program with its chapters around the globe and their corresponding national standards bodies to prepare a consistent management system standard using the ISO model for organizational resilience – security, preparedness and continuity management. Teams in various countries are also working on complementary standards, guidelines and tools to aid in implementation of the management system. This global effort will support ISO/TC 223’s efforts to develop international standards to facilitate global trade by providing the level playing field of international standards with cross-jurisdictional applicability.

The all hazards approach of these documents empowers both public and private organizations to effectively and efficiently implement an integrated approach to risk management based on the organization’s core values, business goals, risk assessment and management commitments. They provide a systematic process that allows an organization to formally demonstrate that it has a risk-based management system in place, and that the organization is committed to continual improvement that meets requirements for robustness, resilience, and effectiveness. Aligning with existing ISO standards gives organizations the option for cost effective integration of standards implementation. The integrated approach establishes a systematic methodology for an organization to incorporate risk, security, preparedness and continuity management into all its policies, operations and management practices, allowing the organization to document and verify that it has elevated risk management to an organization-wide priority.

The purpose of establishing a security, preparedness, and continuity management system is to ensure that all risk management and continuity activities are conducted and implemented in an agreed and controlled manner within the organization. The system enables the organization to meet changing operational needs and is appropriate to the size, complexity and nature of the organization. It establishes a clearly defined framework for the ongoing management of risk and assuring the operational continuity capability and resilience of the organization.

To be effective, a security, preparedness, and continuity management system should be an integrated management process driven, supported, and reviewed by top management of the organization, endorsed and promoted by the principal managers and executives. It is a holistic management process, at both the operational and organizational levels, that identifies risks, threats and vulnerabilities of the organization and evaluates the impacts of disruptions on the organization’s ability to function providing the organization with a resiliency strategy that will allow it to survive and continue to meet its obligations.

About the Author
Dr. Marc Siegel is an Adjunct Professor at San Diego State University in the College of Business Administration and the Master’s Program in Homeland Security. He serves as the Security Management Systems Consultant heading the ASIS International Global Standards Initiative. Dr. Siegel represents ASIS on six technical committees and working groups at ISO, as well as other international forums. He works with national standards bodies on five continents to develop international security, preparedness, and continuity management standards for the security sector. He is a highly experienced trainer on the implementation of standards. Dr. Siegel can be reached at: +1-858-484-9855 or siegel@ymail.com