Are You Prepared for PS-Prep?

 

 

At the 2010 Continuity Insights Management Conference, Bill Raisch, director of the International Center for Enterprise Preparedness (InterCEP) at New York University, fielded those questions and more from attendees who are anxious to know how PS-Prep may change the way they do their jobs.

 

But first, for those of you who don’t know the background, here’s PS-Prep in a nutshell.  Congress directed the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private entities using standards adopted by DHS that promote private-sector preparedness, including disaster management, emergency management and business continuity programs. The purpose of the PS-Prep Program is to enhance nationwide resilience by encouraging private-sector preparedness. The program will provide a mechanism by which private-sector entities may be certified by an accredited third party, establishing that the private-sector entity conforms to one or more preparedness standards adopted by DHS.

 

According to Raisch, “the goal was essentially to have government come in and kick start an effort and fund an effort that focuses on private-sector preparedness.”  Why?  DHS “understands that the private sector runs the better part of the critical infrastructure in the US and that they also are the primary employers and the economic engine” of our country. 

 

Raisch sees PS-Prep as a “win-win” through which “multiple benefits” would combine to increase overall private-sector preparedness.  Potential benefits include “minimizing the impact of business disruptions, insurance benefits, rating agency acknowledgment, mitigating post-event legal liability, supplier resiliency assessment, corporate governance, as well as reputational and other benefits,” according to Raisch.

 

“It will start to bring practice around some common terminology and common frameworks, and I think it will be helpful the over all profession,” he said.

 

While the PS-Prep accreditation and certification processes will be administered by the private sector, the U.S. Department of Homeland Security is responsible for:

1. Selecting standards for use in the program.

2. Supporting the development of the certification process by designating and funding the accrediting body.

3. Developing and communicating the business case for the program to the private sector.

 

As for the first point, DHS published a notice in the Federal Register in October of 2009 announcing its intent to adopt the three standards under PS-Prep:

 

DHS also reserves the right to select “additional standards in the future” according to its website.  The three standards have yet to officially be adopted, but Raisch says he expects an announcement sometime this year. 

Additionally, DHS has selected an accreditation body, the ANSI-ASQ National Accreditation Board (ANAB), “to develop and oversee the certification process, manage the accreditation and accredit qualified third parties to carry out the certification in accordance with the accepted procedures of the program.”  Certification “is confirmation that an accredited third-party certification organization has validated a private-sector entity's preparedness to a standard.  Once an organization is certified, there will be a periodic reassessment and audit process so the certification organization can continue to have confidence in the organization's conformity to emergency preparedness and business continuity management system. The certifying organizations will be accredited by ANAB. DHS will maintain and make public a listing of any private-sector entity certified as being in compliance with PS-Prep, if that private-sector entity consents to such listing,” according to DHS.

 

But what of these standards, and why does PS-Prep need to be based on standards at all? 

 

Raisch believes standards can “do a lot for us,” particularly “distilling” best practices.  Standards also are maintained and kept “evergreen” by those charged with keeping the knowledge base current, and each of the three designated standards has such a group.

 

“These standards are specific.  It’s not just three or four guys and gals getting together down the street over a couple of beers and deciding what good practice is. It’s a very formal process,” Raisch said. 

 

Raisch, who describes himself as “standards neutral,” says “the value of this program is that you can decide what you think works for you. Each of these standards have their own strengths and arguably relative weakness, but this is an opportunity to find something that is of value to your organization,” he said.

 

Raisch also noted that all three of the standards are “performance-based” rather than prescriptive.  That means the standards tell you what you have to do, but lets you figure out how to do it on your own. “They more or less give you an end to reach and let you determine how to get to that end state based on your resources and the nature of your firm and so on,” he said. “These standards provide the goal posts.”

 

Raisch emphasized that DHS is not “funding the development of standards,” but rather, choosing standards that already exist as well as a process and certifying body (ANAB) that is “definitive” and “established.”

 

“They are building on an existing voluntary process,” he said. “And I think that’s good news. Raisch said he “envisions a structured process very similar to other voluntary certifications” – such as ISO 9001 (quality management) and ISO 14001 (environmental management) – that have a proven certification process.  He said this “could allow for piggy-backing on existing audits.”

 

Raisch believes the PS-Prep program can help “advance supply chain resilience.”  Since the program is standards-based, it would eliminate the need for organizations to develop their own corporate criteria for assessing the preparedness of suppliers.  And even though specific industry or corporate needs may call for some customization, the program could still act as the foundation. 

 

Raisch also sees value in the fact that independent third-party verification of supplier resilience will provide a “single assessment of supplier preparedness that can be used by multiple customers.”  Every time you need to prove that you are prepared, you don’t have to start at square one.  And the program’s international scope also means it will be applicable “across the global supply chain.”

 

Raisch also envisions that the program will be “friendly to self-assessment or joint customer-supplier initiatives” as it has the potential to be used for both first and second-party audits.  He also thinks suppliers “could benefit from a more streamlined process” and reduce costs by using a single certification that can be “provided to many customers.” 

 

Raisch sees an upside for customers too.  “Customers could benefit from streamlining as well. Customers generally lack the resources to comprehensively review and validate the responses from a diversity of suppliers. This could provide a validated third-party assessment without the cost of individual audits.”

 

Raisch said he sees “the highest level of interest” in PS-Prep “around supply chain issues, especially looking at critical suppliers, not the entirety of your supply chain, just a particular subset of suppliers who provide mission-critical services.” He said it is important for organizations to have “some assurance that these suppliers have at least crossed the threshold of preparedness in their own operations around business continuity and emergency management.

 

The number one concern about PS-Prep is that it will become mandatory. Here’s what DHS has to say about that:

 

“Participation in the PS-Prep program is completely voluntary.  No private-sector entity will be required by DHS to comply with any standard adopted under the program.  However, DHS encourages all private-sector entities to seriously consider seeking certification on one or more standards that will be adopted by DHS.”

 

“Will it be mandatory at some point?  It’s out there.  It’s a concern,” Raisch said, adding that at the last public hearing meeting in January, DHs made it clear that “the only way that this could become mandatory from a government perspective is for Congress to legislate it.  The executive branch cannot do it through an executive order.” 

 

But Raisch believes that the program will not become mandatory, at least not for everyone.  “I don’t see it happening globally,” he said. “There would have to be some sort of high-profile issue and some egregious level of unpreparedness and then there could be a pendulum swing. That’s my gut.”

 

Raisch also addressed concerns that the program would become mandatory for utilities, many of which fear states will decide to require PS-Prep certification, adding another hurdle in an already heavily regulated sector. He said he has no evidence that this is the case.  He also offered reassurance that “there’s an effort right now being championed by the infrastructure element of DHS headed up by Jim Caverly to take core critical industries and essentially cross-map their existing regulatory and other general practices to these standards.”  The goal of that would be to “make it easier for certification process to occur. People will be able to look at that and see that they are x percent there.”

 

Another common concern is how small companies – historically the least prepared and the most likely to fail – will be able to comply with PS-Prep in a way that is realistic and meaningful.

 

While most small companies are not likely to pursue PS-Prep certification on their own, they are increasingly being asked to demonstrate preparedness by the larger companies they serve. Eventually, they could be asked by larger firms to comply with PS-Prep. 

“How do you do vendor planning with small vendors?” Raisch asked.  “You work with them.”  He suggests a mentorship approach, in which “larger entities might identify critical suppliers and work with them over a period of time, saying ‘We’d like to move you with us toward certification.’”

 

That help could take the form of templates or a “package of material” that larger organizations have the resources and means to create and distribute to smaller critical partners and suppliers. This “community-based approach” makes a lot of sense, Raisch said.

 

He cautioned against “issuing an edict overnight” in favor of respecting the relationships you’ve built with your vendors and not turning it into a “do or die” situation.  He suggests that larger organizations work with smaller ones to develop a timeline and help provide resources to them to “make it a little easier.”

 

DHS also is aware of the challenges PS-Prep poses to small businesses, saying that “the Act recognized that small businesses need to be treated differently in the PS-Prep program, and requires DHS to give special consideration to small business concerns.”

 

 

That could mean a different type of assessment, according to Raisch.  Instead of a third-party assessment or audit, “special accommodations for small businesses could include self-assessments or self-declarations,” which won’t pack the punch of a third-party certification but will at least ensure that “even your small guys are familiar with business continuity and why it’s important.”

 

With so much uncertainty and wariness about the PS-Prep program, Raisch said he is advocating for a “potential early adopter or pilot program to take the program around the block.”  He hopes such a program would “bring this down to the real life level” by answering questions like “What is it about?  How disruptive is it?  How costly is it?”

 

“Our proposal to DHS is that we test it out first,” he said. “I’d like to see us crawl before we walk and walk before we run…DHS is hesitant to stop the process for the pilots, but the reality is that until this has some definition and some track record, I don’t think everybody is going to think this is the best thing since sliced bread. You need to demonstrate that this has value first, and that’s what these pilot projects can be about. We’ll see where our suggestion goes.” CI