Predicting the Future for PS-Prep
Sun, 09/12/2010 - 8:00pm
Yes, PS-Prep/911 Commission/S.4-HR1/PL 110-53/Title IX (add another name here) has been in discussion stage for over five years now.
You need these three basic components to be in compliance with the intent of PS-Prep: an overall business-related vision, the right subject matter expert, and management support.
Many organizations and individuals appear to believe they have the answer to tell private-sector companies how to plan to run their organizations based on what regulations may come our way.
As is the case with many initiatives, the original intentions were good and it has gotten quite complicated along the way.
How will you be certified? Who will do it? What will it cost? Why should a large company pay to be “compliant” if a small company doesn’t have to? What will the requirements be?
The most important question is: Does it add business value? There could be major human, natural, or technological incidents (planes flying into buildings, major oil leaks, etc.) that trigger speeding up the process. Senators that got involved in recommending compliance did so for a reason, and there will be others who push the issue for different reasons. The federal government should not get trumped by local or states on this one, although if you get the right local or state leader who understands the value of such a program, they can get it jump-started.
S&P and sector industries have been talking about it and could be working to make it mandatory in their industries.
Insurers can make compliance with it their new norm to be highly protected if they like, but that will take time.
Companies that have incident planning in place, identify risks, critical processes, test, and plan for business interruptions have solid crisis communications programs and work with external partners do so because it has business value. They don’t do it because it may become a requirement, or because someone from security, risk management, supply chain, IT, or finance said so.
Companies that have a resilient business continuity process have already received a great deal of benefit from their preparedness efforts and likely have many success stories to share.
Some companies are already telling their critical partners that if they want to work together, please let us know what you are doing to maintain your continuity of operations.
They key ingredients are having the right vision, the right individual driving the process, and management support behind the effort.
If you have a resilient process and you are told to comply with something else to get certified, you can modify planning a bit and work toward certification, but to start from scratch is a very large task.
We can talk to it and have been doing so for the past few years, but at some point in time it is necessary to roll up your sleeves and start doing something productive, so keep in mind: “add business value.”
PS-Prep was established as a mechanism to provide independent third-party certification of the emergency preparedness of an organization. Its aim is to address operational risk which includes disaster recovery and business continuity. Participation in PS-Prep is – at least at this point – voluntary, and it is a private-sector led program. The basis for the PS-Prep is existing private-sector standards.
I have a feeling that in the not-so-distant future PS-Prep will be mandatory for a large segment of the business population. I think that there will be a line between organizations that are required and those organizations that are outside the parameters. It is important to note that PS-Prep is now administered by the private sector with heavy involvement from the United States Department of Homeland Security (DHS). Involvement so far by the DHS has been to select the standards that will be used in the program, support the development of the certification process by creating an accrediting body, and develop and communicate the business case for the program.
Before this program is officially launched a number of questions must be answered. Questions like: What will the auditing standards be? How does a third-party firm become “certified” to conduct the certification? Who will conduct the certification training program? What are the penalties for not complying? This short list of questions only scratches the surface. I am sure that there are many more questions that need to be asked.
In my opinion, it is inevitable that PS-Prep will become mandatory for a segment of business at some point in the future. Someday we will look back and make a determination of PS-Prep’s usefulness. That chapter is still waiting to be written.
As a government employee, a part of me hopes it becomes mandatory, but the rational part of me says leave it as a volunteer opportunity. I would like to see it implemented in such a way as to allow for participants to have an edge over those non-participants in the form of easier-to-obtain post-disaster grants or loans, or maybe even mitigation grants for continuing to improve preparedness. It has the look of a program that once in place could easily become mandatory in the vein of NIMS compliance. So, I guess for now we can only wait and see how much government involvement there will be in the future of business continuity in the name of security.
Okay, here’s the thing, I’m a paramedic and a lawyer, so stick with me through the analogy ....
EMS in the USA frequently works like this: There is an ambulance service. They have to respond within nine minutes to all calls, all the time, with a required set of equipment costing about $250,000, and two licensed people who know how to use it. They get paid by Medicare, Medicaid, and private insurance. Medicare only wants to pay for transport of the sick person, and only when it was needed, and won’t pay for any of the costs of standing by or for the response when it wasn’t necessary. Medicaid doesn’t even cover the cost of response. Private insurance (and self-payors) gets gouged and is probably going away soon. The ambulance service probably doesn’t break even. It is socialism – that you have to accept Medicare by law and you can’t bill the patient for more than that. They have a contract with government to respond to ambulance calls and the local government may (or may not) subsidize them. But on the other hand, paramedics are not commonly sued for poor care for a variety of cultural and practical reasons.
So, the only way to break even is to compete on the price of the government subsidy. You have a minimal amount of licensed ambulances of minimal size with a minimal equipment list, staffed with employees you pay the minimum. Since there is almost no litigation, there is nothing driving quality above the minimum (baseline compliance is the quality measure). No matter how well government writes the contract, there will always be another crack to fall through in the effort to save a buck. No government in America is willing to pay more for higher quality – we are now the land of the lowest bidder.
What is the point of all this? The point is that business continuity under PS-Prep could be even worse off than EMS. No organization that I know of is willing to pay more for a higher quality of business continuity because we don’t have a clear consistent universal measure of BC quality. But at least people know what the heck the ambulance is and what it does, and even if they don’t think about it unless they are the ones who need one, at least most of the public think ambulances are kind of important.
So, a dream world would be one where there is both a floor (PS-Prep) and drivers for quality (litigation, which drives insurance, or just plain insurance discounts). But neither of these is going to happen until we can really, truly define and measure quality. What scares me is that we go only halfway and end up like EMS, where baseline compliance with PS-Prep is the quality measure. And anybody who has worked for government knows their tradition of serving up a half-baked cake.
Mandatory PS-Prep compliance does not appear to be on the horizon. But if the private sector fails to embrace voluntary compliance and future emergencies are met with systemic failures, making PS-Prep mandatory may be one response. However, private-sector business continuity practitioners and their management should consider moving apace toward voluntary PS-Prep compliance as a possible means of prudent risk management. If sufficient numbers of firms comply and business continuity is maintained in the face of worst-case disasters, there will be no need for mandatory compliance.
On numerous occasions, DHS representatives have gone on the record indicating that the PS-Prep program will remain voluntary. Additionally, to move from voluntary to mandatory, the law would have to change as well. This doesn’t mean that some organizations won’t see value in certification and ask suppliers and business partners to model their preparedness programs based on one of the three DHS-identified standards and seek certification based on a scope that serves their interests. Of note, I used the word “ask.” In this situation, a supplier could very well make the business decision not to pursue certification – or even business continuity in general. But that’s a business decision, and in doing so, the supplier may be walking away from a business opportunity. Regardless, it’s a voluntary decision to meet a customer request.
Overall, organizational certifications have existed for some time in other disciplines – quality, environmental management and information security, to name a few. Although these certification processes are not run by a government entity, they haven’t become mandatory. Instead, each certification emerged as a possible competitive differentiator for those entities that made the business decision (based on a cost-benefit analysis) to pursue these capabilities and credentials. I don’t believe all organizations benefit from certification – but I do believe that all organizations could benefit from many of the practices recommended in NFPA 1600, BS 25999 and SPC.1. That’s the value in PS-Prep – this voluntary program is creating awareness regarding standards and getting business continuity professionals thinking about improved preparedness/performance.
The question pertains to PS-Prep, so I’ll restrict my thoughts to the U.S. I actually think things could be very different in other countries.
In fact, some elements of PS-Prep are already mandatory. One of the misperceptions of PS-Prep is that it only addresses the recovery of business and IT processes following an interruption. The reality is that it includes a lot of emergency preparedness and response activities currently required by the Occupational Safety and Health Administration (OSHA), state and federal Environmental Protection Agencies (EPA), state and federal Departments of Transportation (DOT) and other regulatory bodies. These are well outside the mainstream thinking of business continuity regulations we might recall relative to the financial, healthcare or utility industries.
There are lots of good business practices that have never been mandatory. Business continuity management is only one of them. Even as someone who makes his living helping clients get better at BCM, the last thing I want is for standards to be force fed to my clients in an arbitrary way. The thing my clients tell me separates me (and other good consultants) from the average ones is our ability to take principles we know will work and tailor them to be a perfect fit for clients. Mandatory standards would create a compliance environment where the goal eventually stops being improved resilience and starts becoming a journey to see how little we can spend on this without getting our hand slapped and the easiest way to check a box. We already see this in the regulated industries. A properly written standard would still allow that, but I’m not convinced that is the world we’re heading toward.
Which leads me to the next point, namely that PS-Prep is flawed because it endorsed the idea of multiple standards. In my mind, the only thing worse than having one standard shoved down our throats would be multiple standards shoved down our throats. The last time I checked, standards are supposed to be standard. We no longer have both HD DVD and Blu-Ray. They battled it out to see which would be the more accepted standard for high definition entertainment and Blu-Ray won. As a result, Blu-Ray players and disks are far cheaper and more widely available. If we have to have a mandatory compliance to a PS-Prep environment, one standard we all rallied around would be light years better than where we are now. We are headed toward a world similar to what the Europeans have in their road toll system where trucks need to be equipped with literally 10 different technologies just to do their job, adding startup and maintenance costs, production slowdowns and significant inefficiency to the process.
Multiple standards competing for people’s attention is not bad in the early stages. It allows the best ideas to be incorporated into the ultimate single standard. Ultimately PS-Prep’s fatal flaw is that it actually encourages multiple standards to be developed and submitted forever. If anyone disagrees with me, I have a gently used HD DVD player for you. If you “buy it now” I’ll throw in my Betamax player for free.
Kathy Lee Patterson
From what I have investigated thus far regarding Private Sector Preparedness (PS-Prep), this act was designed by DHS after 9/11 to develop a voluntary program for private-sector organizations to become accredited and certified according to one of three established standards. These three standards require the private sector to develop emergency management, disaster management, and business continuity programs for their organizations.
From the healthcare industry perspective, I don’t believe that PS-Prep has direct impact. Healthcare has established regulatory requirements for numerous disciplines, including BC, DR, and EM. These regulatory bodies have been maturing their business continuity, disaster recovery and emergency management requirements over the years, becoming more stringent, aligning with other industry mandates.
Where I do believe healthcare organizations could be affected is if this new standard becomes mandatory. The benefits of PS-Prep becoming mandatory to private-sector organizations could be realized in better preparedness for manmade and natural disasters by the private-sector companies that service and supply healthcare institutions. This would enable them to be more prepared to continue supply chain functions after a serious disaster. When selecting a private-sector vendor, the fact that they are accredited and certified may aid the selection process. On the flip side, in this struggling economy, mandating the private sector to spend additional funding on business continuity and disaster preparedness could cause the price of goods and services to rise and some struggling businesses to shut their doors.
As with any new standard addressing business continuity, disaster recovery or emergency management, the BC, DR, or EM professional needs to obtain a complete understanding of the requirement of PS-Prep and which standard will fit best your organization. I do not believe that PS-Prep should become mandatory until all aspects of the standard have been fully vetted out.
Given the regulatory landscape, the challenges getting PS-Prep defined and agreed in the first place, and the host of requirements already in place for various industries, I would be surprised if PS-Prep becomes mandatory. Since PS-Prep cuts across industry domains, there would be a host of challenges ensuring consistency between PS-Prep and the variety of standards in place. Without the proper guidance from the regulators, this would cause real confusion.
That said, I don’t mean to imply that this (making PS-Prepmandatory) would be a bad thing, just that I have my doubts about this as an actual governmental requirement.
Still, there is real value to PS-Prep. The fact is that it does provide a key framework via which to launch and develop a solid continuity program and could wind up with real teeth within the lower-level vendor or provider space. The fact is that many organizations that deal directly with government agencies will adopt this standard if only to get a leg up on their competition for public-sector business. While that adoption will be voluntary for the primary vendor or tier-1 provider, it could very easily become mandatory for all lower-level providers that service that tier-1 provider.
Based on the fact that firms commonly outsouce key aspects of their business offering – often anything that is not considered a core competency – it almost becomes necessary to ensure your subs are certified as well. Otherwise your own certification is meaningless and your reporting is like the proverbial watermelon, green (compliant) on the outside but red (non-compliant) on the inside. CI