Issue Archive: July/August 2008
The Sloan Reports Straight from the Source
Author: Continuity Insights StaffThe framework report, supported by the Alfred P. Sloan Foundation, can be found at http://www.sloan.org/programs/documents/FrameworkForVoluntaryPreparednessFINALREPORT.pdf
What went into writing that report and what has happened since its release? Continuity Insights spoke with the four authors of the report to find out.
Continuity Insights: You were involved in the Interdisciplinary Team that worked together to write the Sloan Report Framework for Voluntary Preparedness -Briefing Regarding Private Sector Approaches to Title IX of H.R. 1 and Public Law 110-53, Implementing 9/11 Commission Recommenda-tions Act of 2007. How would you describe that effort?
Al Berman: Sloan asked me to review the proposals for a number of organizations. I didn't think that they had enough subject matter or expertise either from the people who prepared the proposals or the proposal itself. My critique was taken surprisingly seriously by Sloan and Sloan asked me if I would head a committee to do this. What I elected to do is reach out to what was to become the core group. That's how my involvement came about - the project plan - and we essentially came up with what the structure was for the framework. My responsibilities were really to lay the foundation by looking at the elements that were common in interests and regulations.
Don Schmidt: I am chairman of the National Fire Protection Association's Technical Committee on Emergency Management and Business Continuity. The technical committee is responsible for NFPA 1600, so that was my invitation to the Sloan Foundation meeting last October. During that Sloan meeting, it was obvious that those around the table could not agree upon a single standard to recommend to DHS. As a result of the meeting, we decided to form the interdisciplinary team.
The goal of that team was to find a common ground. So, when the team got together, we thought it would be an arduous process, but we found it to be a fairly simple process because we focused on the essential elements of the private sector preparedness program. What are the essential elements of that program? And so, I'm speaking from 1600, what are the essential elements from 1600? If you look at the report, you will see that the terminology may be different, certainly when you compare various standards, and they may be organized differently or called by different names. But we went to "What are the essential elements of a private sector preparedness program?" And it was really easy to agree upon that.
Marc Siegel: There were four organizations that had never really worked together in the past but were brought together by having serious reservations about how the law was conceived and how it was being promoted. We decided that we would work together for the first time to put together a joint piece explaining our view, as well as the available standards and regulations that could address it. The important thing that we were trying to stress is that the law itself was not necessarily a good idea and that certification was certainly not a good idea to put in the law. What was really needed to promote preparedness and continuity management was actually an emphasis on providing organizations with the education and tools necessary to do it.
Carol Fox: I serve as the chair of the Risk and Insurance Management Society's enterprise risk management development committee. As we were hearing about the SLOAN Foundation, we asked if it made sense for RIMS to be at the table. This is very key to what we do from an enterprise risk management perspective. And as the senior director of risk management for my company, Convergys Corporation, I have responsibility for business continuity planning - so I have some background in that as well as risk management. Given that context we thought it might make sense for the risk management community to be represented at this stakeholders meeting that Sloan Foundation had pulled together to give feedback to the DHS as part of the Public Law 110-53.
As an outcome of those discussions, there was a discussion about numerous standards DHS was considering. So as a group it made sense for us to look at the standards that are out there. If we could come together and do a crosswalk of what the common elements were, it might not seem so overwhelming for the government who doesn't have necessarily the depth of expertise from a private sector perspective that they do from a public sector perspective.
CI: Now that you have published this report, how do you hope the government will use it?
AB: We know that the DHS and FEMA have used it to create what will hopefully look like the framework. Most importantly, the industry people have worked with it. We've involved people from the financial sector, people from pharmaceuticals, retail, and manufacturing to take a look at it and see if it fit within the framework of what they were doing. After all, we really don't want to reinvent the wheel. There's a stipulation somewhere in the regulation that talks about getting credit for, and that's a paraphrase, work done. And we wanted to make sure that those people that had to comply with a punitive regulation, not a voluntary regulation but a mandatory one, would be getting credit for what they already did. It became important to us that this was a business effort. My concern is that this makes sense for business. I'm certainly not qualified to figure out what makes sense for government.
DS: I hope that the government will recognize the longstanding standards that are out there and build upon what we did based on the last 10 to 15 years. They don't need to reinvent the wheel - we can work in standards. NFPA 1600 has been out there since the mid-1990s. It's been utilized by many different companies in both the public sector and private sector. My hope is that they will build off of what's been in place for many years.
MS: Hopefully, they will take the advice that's given in it. It's important for them to adopt the advice that we put in there. There are multiple approaches that can be used and different types of standards that can be used that the regulated industry should be allowed to use. I really hope the government doesn't push third-party certification. This idea of the government involved in third-party certification is not typically done with standards and is generally viewed in the standards community as a very bad idea. So hopefully, they will find a fitting way to let the normal standards process take its course and really make this a private sector initiative. Having a legislative, voluntary, private sector initiative is sort of an oxymoron.
I guess the other thing we're hoping to get out of the report is [an understanding] that you don't need a stick to hit businesses and do third- party certification, but that you actually need a carrot…the education and training. The other thing we really hope that the government gets out of this is that third-party certification is a very expensive proposition. It's not easy to achieve or to develop a system that's impartial. They should look at what was done in environmental management and adopt some of the types of education and exempted programs and award programs. It really is more of a carrot approach than a stick approach.
CF: I can actually speak to how they did use it. I was on a panel in April at the RIMS conference…and one of things pointed out was that the government did use that report. One of the outcomes is that FEMA will use existing preparedness standards, and they are working with the various standards development organizations to determine which ones they might use. Their intention as far as I know, is that they are leaning toward that acceptance of multiple standards, which was one of the recommendations out of the report. I think they did listen.
CI: What feedback have you received regarding the Sloan Report?
AB: Universally, everyone seems to be pleased with this. We set up the foundation and started to look at it from a process and management point of view and cross-walked it against existing standards and probable standards. We thought it was pretty all-encompassing, and then we reached out to the industry to take a look at it. We went out to the financial community, the pharmaceutical community, manufacturing to get their input, and to a person we got almost no criticism. They thought that this was doable and from a business point of view, they wanted something that was executable and would be functional in their environment.
DS: I have never received any negative feedback. I know it's been widely circulated - sometimes it will come back to me in various e-mail lists where people will send it to me and say "Were you aware of this?" And, of course I'll tell them that I was one of the gang of four. But I haven't heard anything negative at this point.
MS: I got very positive feedback from the report. People liked it - the idea of being able to choose between the different standards and guidelines and regulations that are out there. The most positive feedback concerns how the third-party certification doesn't make sense. I hear an awful lot from businesses that this is something that the government really shouldn't be involved in. I think it was an example of service providers driving an issue and service provider groups being involved in advising the legislation. The problem with service providers is they're doing business for themselves. They'll be the ones who consult on this and develop education and training programs for this, and study this. And they'll be the ones that make a lot of money off of it. I think that was part of the problem. There was much heavier input from service providers than businesses in its development. Part of it, I think, was Congress trying to implement recommendations from the 9/11 report and not necessarily spending the time and analyzing the issue and really understanding how standards work. From the impression I've gotten, they were given a lot of misinformation about how standards work. For example, standards already have built-in mechanisms for preventing conflicts of interest and for accreditation and certification and training and all these things that follow the normal international ISO standards process. You have that stuff already in existence, and there's no need to recreate it.
CF: Overall, both public and private, it has been very positive. There seems to be general agreement with the conclusion, and we've had comments that it puts things in a very clear perspective, particularly the crosswalk. They found the crosswalk to be particularly helpful in taking the scope of this and bringing it down to a very understandable level.
CI: Do you have any current insights regarding the status of the U.S. "Private Sector Preparedness Act" that you would like to share with the Continuity Insights (CI) readership?
AB: It's an election year. We don't think that anything is going to happen this year. What we are seeing is momentum on the private sector side - a lot of inquiries. As you know, I've been doing a lot of speaking and I've probably talked to three or four thousand people in the last few months. What we're seeing is really an acceptance that this is a good framework for going forward. Even if the government didn't have a set of regulations, this would be a good framework for going forward, and that's the important thing. The important thing is that business is accepting this. If business fails to accept it, then it's just not going anywhere. The last thing anybody wants to have is another Sarbanes-Oxley, or preparedness would be a disaster. But then again, it's an election year - most of the people involved now will not be here when the new administration, whether it be Republican or Democrat, takes office in January. So I think we're going to see very little progress on the DHS and FEMA side. After all, FEMA has already replaced a person who was responsible for it initially, who was really very receptive to business, and has replaced him with somebody who I've met and is impressive, but I'm not sure if there's a great deal of support for it. The Chamber of Commerce - we meet with it regularly, is really acceptable to small and medium-sized businesses, and that's what we're really looking for. After all, the 9/11 Commission recommendation said to be more prepared. It had nothing to do with certifying people. Somewhere along the line we sort of dropped the ball and said "certification for companies is more important." Personally, I think preparedness is more important in giving people guidelines and tools and a framework in which to work and is far more important than the government saying "we're going to test you." We've seen this in Singapore and just recently the U.K., where companies apply for certification to big companies. The big companies in the U.S., for the most part, are prepared already. What we're starting to worry about - and what they're worried about - is the supply chain. We think that this will at least help set a standard and give some guidance to small and medium-sized businesses who are part of the supply chain.
DS: I hear stories but I have had no direct contact with anyone so I don't know what their thinking is at this point.
MS: I hear a lot of hype about it, but every time I talk to the people at DHS, they haven't really decided how the program is going to work yet. The hype seems to be started by service providers who are trying to steer it in a different direction, but frankly I have no idea where it's going to end up. There's still the problem of a lot of resistance from the private sector. I was at a conference recently where the people at DHS were expressing a lot of frustration that people are saying what the bill will do and how it's going to be implemented, and DHS itself has not decided.
CF: FEMA did submit its report to Congress on April 21 regarding its progress. It has been released to the House and Senate homeland security committees and House transportation. I don't have any further update since then. I don't know what more is occurring. I do know that DHS, through FEMA, has established a private sector preparedness council. Under the guidance of the FEMA administrator, this council includes government entities such as the Secretariat and a number of other agencies, and they are working this through the Office of Standards and they have, at this point, assigned the accreditation portion of this to ANAB. To support ANAB, they are forming, or have formed, a committee of experts. And they also are involving the private sector group in that effort.
CI: Do you have any other comments or concerns about the new voluntary standard?
AB: I am somewhat concerned about the impact on small and medium-sized businesses. The ability for this to be implemented will be severely damaged without the funding and support of private and public sector organizations, especially in an economy that's less promising than a couple years ago.
DS: I think that we all can agree that enhanced preparedness is one
of our goals. Everybody agrees with that. The concern that I have is that the goal of enhanced preparedness can sometimes lead to a discussion of worry or disagreements over standards. That's why people need to focus in on the goal. What are the essential elements of your program? What do you have to do? And be focused on that goal in being better prepared.
One other concern that I have is talk about development of a program, and in this business, developing a good program takes a lot of work. It is not a management system where you can read a bunch of procedures, and audit that, and say "I've got it covered." It's a program that's got to be based upon hazards that are faced by the enterprise, which vary from geography to geography. It involves a lot of understanding of the business processes, hazards, and vulnerabilities. There are a lot of elements to this.
MS: My biggest concern is I don't see the reason why it's necessary. I don't see the way it's constructed in Title IX as being necessary. I don't think there was a need for government involvement, and I don't think that there was a need, as it calls for, for essentially developing a structure that doesn't follow the existing standards process. Standards already exist. There are other standards that are being developed. ISO is working on an international standard on preparedness and continuity management. So it's essentially trying to reinvent the wheel and it can end up with a system that's not compatible with how organizations work and make it a burden for organizations. I think, if it had been left to normal market forces, businesses wouldn't have had the same push back, and you probably would have more interest in preparedness and continuity management. Now people are looking at this and fighting this, rather than thinking about how to do the implementation.
CF: I think the comment that we hear is "How will it be used?" Is it going to be used to create more liabilities? Does it become a pseudo-regulatory requirement like SOX? Those are the concerns that people have had. There's a lot of concern that the government, even though this is starting out as a voluntary standard, will move to a regulatory perspective, creating additional expense burdens on the private sector.
