NFPA 1600 is considered by many to be an excellent benchmark for continuity and emergency planners in both the public and private sectors. The standard addresses methodologies for defining and identifying risks and vulnerabilities and provides planning guidelines which address:
• Stabilizing the restoration of the physical infrastructure.
• Protecting the health and safety of personnel.
• Crisis communications procedures.
• Management structures for both short-term recovery and ongoing long-term continuity of operations.
For the remainder of this article, Comprehensive Emergency Management (CEM) will be used as an umbrella term to address all of the various activities that are addressed in NFPA 1600.
The NFPA Standards Council originally established a “Disaster Management” Committee in 1991 to develop preparedness, response and recovery guidelines for disasters. After four years of effort, the committee issued NFPA 1600 in 1995 as “Recommended Practice for Disaster Management.” Since there was a general sense that local jurisdictions were not yet ready to meet the standard’s requirements, it was issued as a “recommended practice.” As such, NFPA 1600 was originally only a formal statement of what local jurisdictions should be doing in the disaster management area – it was not a standard, per se.
The NFPA 1600 development process closely paralleled the development of the Federal Emergency Management Agency’s (FEMA) “Capabilities Assessment for Readiness” (CAR) document. ERI International’s “Blueprint for Community Emergency Management” was a source document for this original version of the standard. ERI President Rick LaValla was instrumental in both the development of the first NFPA 1600 standard and the “Operational Readiness and Capability Assessment” which later became known as CAR.
In preparation for issuing the 2000 edition of NFPA 1600, the committee took a much broader “total program approach” and incorporated elements of three related fields: disaster management, emergency management and business continuity programs. The committee expanded the standard to include activities both before and after a disaster so that mitigation activities are included as part of the effort to protect life and property.
In addition, business continuity and disaster recovery practitioners were involved.
LaValla said he was engaged by FEMA in 1996 to assist with the development of a national preparedness survey of state emergency management agencies that would result in a report to Congress. LaValla has said ERI was selected because of a long history with developing emergency management program blueprints, and assessment methodologies. ERI had also just completed writing the New State Director’s training program and text for NEMA which contained a comprehensive local government emergency management program design and assessment questionnaire.
In 1996, the DRI International and the Business Continuity Institute were asked to participate in the standards-making process. As a result, the standard includes elements of the Professional Practices that both DRII and BCI developed and is consistent with DRII’s Business Continuity Planning Model.
1600 Applies To Public And Private Sectors
The NFPA 1600 Standards Committee, whose members are both practitioners and stakeholders in these fields, worked with the industries involved and developed a consensus standard that now serves as a benchmark for disaster management, emergency management, and business continuity programs in both the private and public sectors. The standard provides program elements, techniques, and processes that now applies to all CEM programs. However, it appears the business continuity and disaster recovery professions are largely unaware of the implications NFPA 1600 has for their activities. While the original intentions of both the NFPA and the 1600 Standard may have been directed toward public safety officials, the current organization and its standard clearly impact the private sector.
The concept of public-private partnerships has become increasingly important in emergency management and the standard now addresses the need for business and nonprofit organizations, as well as governments, to be prepared to deal with emergencies. Emergency managers and business managers both understand the entire community, including residents and businesses, and must be well prepared if the entire jurisdiction is to be resilient to emergencies and disasters. Initiatives such as Project Impact and other public-private partnerships as well as local emergency planning committees have brought together public and private responders together to plan for their communities and organizations.
Convergence Of Efforts
For the past 10 years or so we have seen a convergence of public and private sector planning efforts. Businesses have been expanding disaster recovery plans to include continuity of operations and emergency response planning while governments have been expanding old civil defense and continuity of government concepts to include mitigation and recovery along with emergency preparedness and response. Today, governments are much more likely to be planning for continuity of operations issues.
Recognizing this convergence and the obvious interdependencies between business and the community, the NFPA involved the business community in the development of NFPA 1600. Consideration was given to their unique concerns. It is interesting to note that the title, “Standard on Disaster/Emergency Management and Business Continuity Programs” was created in an effort to make all of the various participants comfortable with the final product.
NFPA 1600 has now been adopted as a standard by a significant part of our industry. The Federal Emergency Management Agency, DRI International, the National Emergency Managers Association (NEMA), and the International Association of Emergency Managers (IAEM) have endorsed the most recent edition of NFPA 1600. FEMA’s Local Capability Assessment for Readiness (LCAR) program, which is used as a benchmark for state and local governments, is based on NFPA 1600. NEMA adopted 1600 as the basis for their Emergency Management Accreditation Program (EMAP). In addition, the American National Standards Institute (ANSI) has adopted NFPA 1600.
Will NFPA 1600 Become Mandatory?
Broad industry involvement and acceptance makes the NFPA 1600 Standard an industry standard under most definitions. As a result, 1600 may be on a path to adoption as a mandatory requirement. This path will follow milestones of voluntary compliance, use as a benchmark or third-party requirement, and adoption by reference. While the NFPA standards are voluntary, they are often incorporated in regulations or laws with or without modification and, since they are generally accepted as industry standards, they may be used in lawsuits as the standard that you should be operating under.
However, NFPA 1600 is not the only game in town and there are some unsettled sentiments about the application of 1600 to business continuity planning. The Business Continuity Institute has expressed concern that there is no commercial business continuity document and that in the NFPA standard, business continuity is buried within emergency management. DRII’s current strategy is to seek incorporation of its methodology, as contained in the “Professional Practices for Business Continuity Planners” in standards promulgated by the International Standards Organization (ISO). In addition, there is an ANSI group looking at continuity and disaster management and ISO 17799, an international security standard, sets forth business continuity planning standards.
As a result of these other standard setting initiatives, there may be multiple standards that impact the various CEM professions.
NFPA 1600 Outline
The NFPA 1600 standard itself is copyrighted – you have to pay to get a copy of it. However, the following outline gives you a good idea of what the standard contains.
Chapter 1. INTRODUCTION
Chapter 2. PROGRAM MANAGEMENT
• Program Coordinator
• Program Committee
• Program Assessment
Chapter 3. PROGRAM ELEMENTS
• Laws and Authorities
• Hazard Identification and Risk Assessment
• Hazard Mitigation
• Resource Management
• Direction, Control, and Coordination
• Communications and Warning
• Operations and Procedures
• Logistics and Facilities
• Exercises, Evaluations, and Corrective Actions
• Crisis Communications, Public Education, and Information
• Finance and Administration
A standard will be updated soon and a new edition of NFPA 1600 is due in 2004. A comment period concluded on June 28, 2002, and the committee will meet Aug. 14-16 in Ottawa, Canada, to discuss revisions. After the committee makes changes, the proposed new document will be published as an NFPA report on proposals. At this point there will be an open public comment period on the new proposed documents.
The NFPA 1600 Standards Committee is very interested in the input of practitioners. The committee has established task groups looking at how to further develop various aspects of guidelines. They are also trying to beef up the appendices, which are provided for information purposes only.
One task group is looking at trying to put together a glossary of terms to include as an appendix item. This is an issue that requires some effort as the standard addresses three fields that each have their own unique terminology. It will be interesting to see how the committee addresses the convergence of the three fields in the standard’s title and the terminology used between them.
Another task group is looking at comparing and matching the elements found in NFPA 1600, FEMA’s Capability Assessment for Readiness (CAR) and BCI’s documents as an appendix item to show the commonalities in all. Another is looking at developing other appendices to more fully reference guidance documents, texts, Web sites and organizations that can help the novice reader or otherwise need more help. The 1600 Committee is very much open to new ideas and interested in receiving comments.
Steve Davis is principal for DavisLogic, Inc. and All Hands Consulting. Davis has been consulting on business continuity and emergency management since 1998. He has published more than 20 articles and presented more than 60 times on three different continents. For more information see his Web site at DavisLogic.com.