Telco giant AT&T recently announced its status as the first company to certify under the Department of Homeland Security’s (DHS’s) Voluntary Private Sector Preparedness Program (PS-Prep), which is administered by the Federal Emergency Management Agency (FEMA). The news received a somewhat tepid response from the business continuity community, as many interpret PS-Prep as a program designed mainly for small- to medium-sized businesses (SMBs). After all, AT&T already has very sophisticated business continuity and disaster recovery processes in place.
However, the inaugural PS-Prep certification signals the start of a make-or-break period for the program. For it to be successful, organizations — especially SMBs — must build on the momentum started by AT&T and not only certify themselves but also encourage their peers and vendors to do the same.
At its heart, PS-Prep certification is a very straightforward process: Simply certify to one of the three standards chosen by DHS — BS 25999, NFPA 1600 or ASIS SPC.1 — and you’re pretty much good to go. Unfortunately, PS-Prep is plagued by several technicalities that cause potential adopter’s eyes to glaze over faster than you can say “ANAB-accredited certifying body.”
Tim Mathews, Director of Enterprise Resiliency at Educational Testing Service (ETS), led his organization’s efforts to certify under BS 25999 and is actively involved in advising FEMA on the development of PS-Prep. In order to better understand the ins and outs of this DHS initiative, Mathews speaks with Continuity Insights about how PS-Prep can shore up supply chains, the Wal-Mart effect, accreditation roadblocks, and the special consideration for small businesses.
Continuity Insights: Where is your organization at with efforts to certify to BS 25999 and PS-Prep?
Tim Mathews: ETS was initially certified to BS 25999-2 in April 2009. This past January we completed our re-certification audit, so we are certified for the next three years.
As far as PS-Prep is concerned we fully conform to the requirements of PS-Prep in that we have been certified through a third party to one of the three standards selected by DHS. What’s keeping ETS from getting the PS-Prep mark has to do with our certifying body’s accreditation.
When we chose to go down the path for BS 25999 certification there was only one certifying body: BSI Americas. They are accredited under UKAS (United Kingdom Accreditation Service) rules. When DHS/FEMA created PS-Prep they said that certifying bodies must be ANAB accredited. BSI Americas is not, at this stage, ANAB accredited for PS-Prep.
Due to this nuance in the way the legislation was implemented by DHS/FEMA and ANAB, we have an interesting glitch for companies that are certified to one of the three PS-Prep standards, where they meet the intent and spirit of the legislation but don’t qualify for the PS-Prep certification.
CI: That must be frustrating. What are your options?
TM: One option that we are considering is changing certifying bodies. We could transfer our current certification to one of the accredited certifying bodies. However, we put a high value on the BSI mark because we have a lot of customers in other countries. Because it’s unclear whether we would be able to maintain that mark [with a new certifying body], we have to decide whether we want to trade in the BSI mark for the PS-Prep mark.
Which one has more value? In the short term, for a global company like ETS I think a long-standing global mark has more value than a new domestic mark like PS-Prep. As PS-Prep gains momentum over time it will gain in value.
Another option is for DHS/FEMA to change their rules, where for a period of time they allow anyone that is certified to BS 25999 to become PS-Prep certified while their certifying body works through ANAB certification.
The third option is for us to work with our current certifying body to encourage them to move along with the ANAB certification process a little faster.
The interesting wrinkle in this is the recent announcement of the ISO 22301 standard. BSI Americas and the BSI have stated that they will transfer their clients from BS 25999 to ISO 22301 and essentially withdraw BS 25999. So, FEMA and DHS have to accept the ISO standard as one of the standards supported under PS-Prep, and they have yet to do that.
CI: What is the scope of your BS 25999 certification?
TM: Scope is probably the most important piece of this puzzle because the scope is what you’re audited against. You need to be very careful that the scope is appropriate for your business or it could be overwhelming.
The scope of ETS’s certification is pretty comprehensive. It includes all of our test development and assessment services, operational delivery, all of our IT in our two campuses in New Jersey and our two data centers in Delaware and Connecticut. That’s roughly 90 percent of our employees and operations. What is out of scope are our smaller field offices, most of which have less than 20 employees. Most of the stuff they rely on comes out of our corporate office anyway.
CI: Scope is tied to cost, correct? Would you include these field offices in the scope if it was financially viable?
TM: Even though the field offices are out of scope of our BS 25999 certification they are in the scope of our business continuity management system. We still have business continuity plans, emergency evacuation plans and recovery strategies for all of our field offices and employees. We chose to keep them out of the certification scope for exactly that reason: cost.
The way the certifying body looks at this is they have to do field visits and observations of every location in scope. So if we chose to include ten field offices they would have to travel around the country to visit those offices and that would take time and money. And the payback would be minimal because there is nothing unique about those offices — they are tied back to our systems in New Jersey so there’s not much risk associated with a local office impact.
Remember, scope is about cost and locations but it’s also about products and services that are delivered. For instance, let’s say you are in the electricity delivery business. If you say the scope of my BCM system is around the delivery of electricity then everything involved in delivering electricity is in scope, which can include lots of facilities and infrastructure. But if you say the scope of my BCM system has to do with the delivery of green energy from solar fields, then all you have to address is the critical activities and systems surrounding that part of the business.
The scope statement is very important for someone relying on a certification. If you’re engaging a partner that says they are certified to PS-Prep or BS 25999, you need to look at the scope because it may be narrow and include only a head office and not the manufacturing plants that you rely on, for example.
CI: What are your reasons for wanting PS-Prep certification?
TM: There are several. The most important is our customers, which are typically federal and state governments — school districts, for example — along with large corporations. For the last couple of years the customer requirements have become more intense in that we’re required to demonstrate our resiliency, disaster recovery and/or business continuity.
CI: Isn’t that demonstrated by the BS 25999 certification? Why do you need PS-Prep certification on top of that?
TM: That is why we chose to get the BS 25999 certification. We’ve gotten value from it because instead of us having to go through a week long audit our customers trust that the third-part auditor has done that for them. So as long as that certification is in good standing customers are quite comfortable in accepting the certification.
The value we see in PS-Prep relates to our unique supply chain. Some of the suppliers we rely on are smaller businesses. Right now it’s very difficult for us to hold our supply chain to the same standard that we are at. For us to say, “To do business with ETS you must be certified to the BS 25999,” would be highly disruptive for a lot of small businesses because not only is it a difficult standard to implement but it is also expensive for a small business due to the third-party audit element.
What I find compelling about PS-Prep is the special consideration for small businesses, defined as businesses with fewer than 500 employees. The mechanism for certification in this case will be a “self-declaration of conformity” approach, where small businesses will essentially assess themselves and offer, through some clearing house, evidence of their own certification. They still have to show that they meet or exceed the requirements of one of the three standards contained in PS-Prep.
In theory, if I ask my suppliers to conform to PS-Prep I’m holding them to a level of preparedness that I want them to aspire to — but it should be easier to achieve. That part of the program hasn’t been fully documented and rolled out by FEMA, so we’re waiting to see what it will look like.
That is why I like PS-Prep: Because I can say to my suppliers, “We told you we want you to have a business continuity and disaster recovery plan. Now, that plan has to meet or exceed the requirements of PS-Prep.”
For example, say a small business outsources their IT to a large company which is certified to PS-Prep using BS 25999. If ETS says to the small business, “You must meet the requirements of PS-Prep,” they can asses themselves and say, “95 percent of our risk is from our IT supplier and they are certified — so we feel comfortable in self-assessing ourselves as meeting the requirements of PS-Prep.”
That said, the details have not been formalized so we don’t really know what self-declaration will look like.
CI: In your opinion, how should the “self-declaration of conformity” work for small businesses?
TM: The question is: How do I trust the claims of the person that is making the declaration?
I’ve been advocating the concept of a certification at the individual level. Here is how it might work:
Say you are the COO at a small company with fewer than 50 employees and you’ve been asked by ETS (or any business partner) to show that you are complying with PS-Prep. After saying, “What is PS-Prep,” you might go online and take some e-learning classes from FEMA, BCI or someone else and at some point you would sit for a PS-Prep certification exam. You are not trying to be a practitioner in the field; you are just trying to demonstrate a basic level of knowledge on this subject.
Then you would get a personal credential that indicates you are qualified to speak on behalf of your organization for PS-Prep certification. The next step would be to assess your company and get your self-declaration of assessment.
My big concern is that the person doing the self-assessment won’t understand the requirements and they will just check the box in order to get the certification and any business that goes along with that.
There is also an opportunity to create jobs. Someone could go out, get this certification and then earn a living helping small businesses get certified to the PS-Prep standard.
CI: What will it take to get small businesses motivated to certify to PS-Prep?
TM: Two things will come into play: When your competitor announces to the world that they have a new feature or capability, you usually respond; there is also the Wal-Mart effect.
Back in the 80s when it implemented electronic inventory, any company that wanted to do business with Wal-Mart had to comply with their standards. So the bigger companies will push it down the supply chain and as companies announce PS-Prep certification, their peer groups will strive to catch up.
CI: How did you sell the idea of BS 25999 certification to the C-suite? Have you also had to sell the idea of PS-Prep certification?
TM: We increased our focus on business continuity planning in 2004. Not to say we didn’t have it before then but in 2004 it became a strategic activity. We built a program that we implemented based on best practices.
From 2004 to 2008 we measured our progress against a maturity model. Because we kept showing progress and management was very pleased with the progress, we got very comfortable with the notion of assessing ourselves because we had this third-party consultancy applying their methodology for maturity against our program.
The main value proposition for our management was the fact that we were doing a lot of business in countries that recognize BS 25999. It was very easy to say, “Look, we have a pretty mature program. It won’t be a big stretch for us to get third-party certification to BS 25999 and meet the more stringent requirements of our global customers.”
Our global customers recognize BS 25999 so we saw it as very little additional effort to achieve something that would be highly recognizable by our customer base.
The justification for PS-Prep isn’t as straightforward because we do not have one specific entity asking us to do PS-Prep. But I believe that the government will start to offer incentives to its suppliers in that if they are PS-Prep certified they might score better on an RFP (request for proposal) or RFI (request for information).
Since we do a lot of work with the federal government through No Child Left Behind and other programs, as well as with a lot of state governments, we feel that having PS-Prep will eventually be a requirement and should require very little additional effort.
CI: What are ETS’s costs for BS 25999 certification? Are you able to show a return on investment?
TM: The cost of certification is inversely correlated to the maturity of your business continuity management system. If you have best practices in place and use a maturity model then the incremental cost of third-part certification is comparatively small. However, if you have no program at all and want to get third-party certification then you have to build a comprehensive program and the cost is very large.
For us, we were very mature so the incremental cost to get certified consisted of two pieces. The first was an internal re-work of a few things in order to comply, which I quantified as one-half of a full time equivalent (FTE) employee — meaning I re-directed someone for six months to work on this.
Then there is the cost of engaging a certifying body — that’s a multi-year contract. For us, based on the scope and scale of our program, the costs are based on the number of days of work. Initially, the certifying body had to complete a total of 12 days of work using a senior auditor. In subsequent years the surveillance audits take fewer days, so on average it’s about 7 days per year that you have to pay for a third-party auditor to maintain your certification.
For PS-Prep inforamtion and updates, visit FEMA's PS-Prep page at http://www.fema.gov/private-sector-preparedness-ps-preptm.