Solutions Snapshot

July 1, 2009

Should my company seek business continuity certification under the Voluntary Private Sector Preparedness Certification Program? If so, what should I be doing to prepare, and how do I show cost benefits of certification? 

Don Hubbard, Security Executive Council Emeritus Faculty, Custom Group

In today’s threat environment, it is imperative that each organization inculcate the concept of resilience into its culture so that the enterprise may not only survive, but thrive in the aftermath of an incident or disaster. I believe that one of the best ways to do so is to have robust business continuity plans that show clear accountabilities and are exercised frequently. A big part of exercising plans is identifying gaps. Going through the certification process will help identify gaps and demonstrate to top management that the organization is as prepared as possible.  

The first step, in my view, is to identify the key elements of the various standards which may be adopted into the certification program and then overlay those elements onto the organization’s existing plans. Standards specifically mentioned are NFPA 1600, ISO/PAS 22399-2007 and British Standard (BS) 2599.

Some gaps likely will be apparent and remedial steps can be taken. While there are currently no concrete financial incentives to go through the certification process, many believe market forces will make it a de-facto requirement, much as the Payment Card Industry standards are now virtually mandated by the marketplace.

In addition, many believe the plaintiff’s bar, rating agencies, boards of directors, audit committees, institutional investors, stockholders, business partners (e.g. vertical supply chain) and other key stakeholders will encourage certification.

Phil Samson, Principal, PricewaterhouseCoopers LLP Business Continuity Management Services

For companies that have invested in their business continuity management (BCM) program — including a related risk management governance organization and procedures, periodic testing and update of critical components, and ongoing evaluation of exposures — certification will help validate the robustness of the program.

For those organizations that have less (or no) emphasis on BCM, now would be a good time for those with risk management responsibilities to use the tenets of the certification program to build an internal business case for a stronger BCM focus. Early adopters may begin applying for certification within the next year, and these early adopters may be your customers or key business partners, who will ask when your BCM program will undergo the certification process.

The certification cost-benefit process should start with the results of your Business Impact Analysis and BCM Strategy — where key external parties (e.g., customers, vendors, outsourcers, business partners) were identified. While the process can provide management with an indication that your BCM program is achieving the certification program’s objectives, a significant benefit of the program is peace of mind from key external parties who know steps have been taken to minimize the impact of a business interruption.

In some form, most companies are part of a supply chain, and an interruption in any part of the supply chain can impact the entire supply network. We foresee in the near future that this certification program will be used within the vendor/business partner due diligence process — providing certified companies an advantage over those that are not.


Bill Raisch, Director, International Center for Enterprise Preparedness (InterCEP), New York University

A company should pursue certification only if it offers potential business value. The certification will provide: an accepted method to confirm that key elements of organizational resilience are in place; and the opportunity to use that metric to realize business benefits.

The program is currently in development and optimally will enable you to measure resilience either on your own, with a related “second party” (e.g. a customer/supplier relationship), or via unrelated “third-party” certification (outside auditor).

A clear metric could be used to more effectively manage enterprise-wide efforts. We have several hundred firms involved right now in Working Groups to advance benefits to businesses and evaluate the use of certification in assessing supply chain resilience. This provides companies with a measure to be shown to insurance companies and rating agencies to realize benefits in insurance and credit ratings, and also in public reporting for both reputational and compliance advantages. This is all to more clearly link resilience with bottom-line benefits over time.

First steps in evaluating the certification might include:

• Educating yourself on the program and potentially joining a Working Group (info available at www.nyu.edu/intercep);

• Pursuing internal conversations with potentially interested parties in supply chain management, risk management, insurance, compliance, legal, etc.; and

• Conducting an internal self-assessment to one or more of the standards when they are identified.

Next Month’s Question: How do I maintain security employee training when faced with a tight budget?

For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std.

The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.