Over the last two years there has been a great deal of noise surrounding programs designed to certify the preparedness of private sector entities. The two most popular certifications seem to be BS25999, a standard developed by the British Standards Institute that “has been developed to help you minimize the risk of such disruptions” and PL 110-53, The Private Sector Preparedness Act Implementing Recommendations of the 9/11 Commission Act of 2007.
While there are others, most notably the Singapore Standard for Business Continuity Management, for the sake of this article we will focus on the BS25999 and PL-110-53. Regardless of which standard (or standards, as will be designated under PL 110-43) the value of the certification will be greatly dependent upon the quality of those administering the certification and their credentials. These “certifying bodies” will determine whether the cost, effort and risk (yes there is substantial risk in attempting to be certified) involved in becoming a certified entity have real value.
There has long been a divide between the auditor and the planner. Many practitioners can describe the frustration of the audit experience when the auditor did not have a thorough understanding of the business continuity field. This is still often the case even when global event have drive business continuity to the forefront. Fortunately, more and more auditors are gaining education in BCP and it many cases are relying upon SMEs to help them overcome some of the knowledge gaps. But having reached resolution on one situation (the annual controls audit) we may be finding a situation where we will create another one.
This problem is starting to re-emerge in the corporate certification arena. Those who are conducting audits may not have the audit and SME qualifications to render a valid certification opinion from both perspectives. Without a clear-cut list of skills and experience in audit and disaster/emergency management and business continuity, an opinion rendered by a poorly qualified “certifying body” may cause entities seeking certification to modify perfectly good plans. Or worse be forced to restart the process, thus impugning the qualifications of the current emergency management business continuity team. In addition, a less than satisfactory score from a certifying body may subject a company to litigation for negligence. This risk was mentioned and may occur as part of a BS25999 certification, for example. If the results of the Stage 2 Audit indicate that the requirements of BS 25999 Standard have not been met, the client will be required to agree to a corrective action plan (CAP) to address the weaknesses. When the client has addressed the weaknesses a further conformance audit will be carried out. Once a CAP has been created it becomes a discoverable document that a plaintiff may use to show that the defendant was knowingly negligent. The possibility of this situation should raise a red flag. Therefore, ensure that the general counsel is made aware the facts before the decision to conduct a certification audit is undertaken.
The other issue may be that a company had simultaneous audits of emergency response and business continuity, the results of one contradicting the other. For example, an audit is conducted by a company’s outside audit firm or industry regulators and included in that audit is the state of business continuity. This situation is becoming more and more common. The corporate auditors come to the conclusion that there are certain areas that need improvement and provide the company with a rating that reflects their findings. At the same time, a corporate certification audit is taking place and the results of this audit contradict the findings of the outside audit firm. This situation will cloud the results of both audit findings. Invariably, the corporations outside audit findings will prevail, simply because audit issues wind up being redressed by the board of directors.
The way to overcome both of the above situations is to ensure quality in those conducting audits.
To address this need, two of the most respected names in their particular professions have joined forces to create an education and certification program that will qualify participants to audit emergency and disaster management and business continuity programs against existing standards and regulations. NFPA (National Fire Prevention Association) and DRI International (Disaster Recovery Institute) have created an interactive program to provide training, tools and hands –on experience. This program will help attendees understand the key components of emergency and disaster management and business continuity, the relevant standards, laws and regulations, the process of analysis, creation, implementation, testing and maintenance of programs.
Course materials will probe into existing regulatory and legal requirements by industry and country. Emerging requirements received special attention. Specifically, BS25999, NFPA 1600, ASIS, DRI International’s professional practices, financial services, insurance, healthcare, utilities, public sector guidances and a host of others will be explored. In addition, careful attention will be paid to the processes by which emergency and disaster management and business continuity programs are initiated with an eye toward corporate governance and policy and procedures.
Corporate planners at all levels, internal and external auditors and those who wish to self-assess their programs (in preparation for an audit or as an indication of preparedness for their customers) will get the tools they need to perform an audit in accordance to appropriate standards and regulation. Emphasis on audit requirements and documentation will aid in the evaluation of records, organizational roles and responsibilities, process flows and corporate oversight.
At the end of the training course, a qualifying examination will be conducted. Those passing the examination will be eligible to apply for certification as a Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA). The certification level (CBCA or CBCLA) will be granted based upon the amount of demonstrated audit experience of the applicant. Two years audit experience will be the experience criteria for CBCA while those seeking the CBCLA designation will be required to provide references to verify that they have at least five years of active audit experience. The certification will be granted by DRI International, the largest business continuity certification organization in the world. DRI International has certified more than 12,000 applicants in over 90 countries in its 20 year history.
Alan Berman is a CBCP, MBCI, is a member of the ASIS BS25999 technical committee, a member of the Committee of Experts for ANSI-ANAB, a former member of the NY City Partnership for Security and Risk Management, executive director for Disaster Recovery Institute and the co-chair for the Alfred P. Sloan Foundation committee to create the new standard for the US Private Sector Preparedness Act (PL 110-53).