Emergency Preparedness Certification Standard Has Not Emerged

May 6, 2008 2:42 PM

           

The majority of U.S. companies have a formal, written plan for emergency preparedness, according to a report released by The Conference Board. But a widely adopted certification standard for such plans does not yet exist.

Three-fourths of 302 senior corporate executives surveyed in mid-2007 said that an emergency preparedness plan exists in their companies. The analysis was sponsored by the Department of Homeland Security (DHS) as part of an ongoing research project to assess the effectiveness of security in American companies.

The survey sample was intended to reflect the characteristics of American businesses as defined by size and industry. The sample was divided into three strata: small business (companies with $5 million to $50 million in annual sales); mid-market ($50 million to $1 billion in sales); and enterprise ($1 billion or more in sales). Within these groups of companies, the survey polled executives with responsibility for security, business continuity, crisis management and emergency response efforts.

A “voluntary” certification process for preparedness was adopted as part of the 2007 Homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review, and it is expected that several different standards may qualify for certification.

“Currently, the most significant finding is that none of the many standards proposed for certification has attained widespread usage in the private sector,” says Thomas Cavanagh, senior research associate, Global Corporate Citizenship, The Conference Board.

The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23 percent of the surveyed companies. Following close behind, used by 20 percent of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12 percent of companies.

The larger companies are more likely to have implemented the most widely known standards. At the enterprise level, 30 percent have adopted the ISO information security standard, compared with 24 percent of mid-markets and 15 percent of small businesses. Despite its high visibility as the National Preparedness Standard, NFPA 1600 has been implemented by 29 percent of large companies and less than 18 percent of those below the enterprise level. NIMS (the National Incident Management System) has been adopted by 19 percent of enterprise-level firms, compared to 10 percent of mid-markets and only 4 percent of small companies. The discrepancy is most dramatic with regard to C-TPAT (aimed at securing the supply chain), which has been implemented by one-quarter of large businesses but only single-digit percentages of companies with less than $1 billion revenue.

As with the other procedures examined, the size of the company has a major impact on the level of preparedness. Roughly three-fourths of companies at the enterprise level conduct regular risk audits, mitigation and activation of their backup facilities, and two-thirds undertake regular tabletop exercises. Annual risk audits are conducted by 69 percent of mid-market companies, and 53 percent of mid-markets report that they conduct regular mitigation activities and backup site activation. However, only 31 percent conduct tabletop exercises at least once a year. Fewer than half of small businesses report that they conduct any of these activities on an annual basis.

Different industries have different approaches to the pursuit of preparedness. The clearest example is the IEEE SCADA standard, which is used by many firms in the energy industry (38 percent) but is rarely encountered in other sectors of the economy. NIMS is the most widely utilized in the energy and health care industries (38 percent and 29 percent respectively). The financial services industry leads the way in the implementation of NFPA 1600 (36 percent) and the ISO IT standard (33 percent).

Ownership structure is also strongly related to these aspects of preparedness. Among publicly traded companies, at least 70 percent report that they conduct risk audits, mitigation, and backup site activation at least once a year, and 59 percent undertake annual tabletop exercises. The proportion conducting annual risk audits falls to 58 percent for privately held companies and 47 percent for family-owned companies. Only 52 percent of private firms and 37 percent of family-owned companies conduct annual backup activation, and regular mitigation is undertaken by 43 percent of private companies and 40 percent of family firms. Regular tabletop exercises are conducted by only one-third of private companies and one-tenth of family-owned businesses.

The financial services sector is at or near the top of the list of industries on virtually every one of these procedures, with especially impressive showings for backup facility activation (72 percent) and tabletop exercises (64 percent). Service industries are most likely to schedule “work from home” days, a procedure most commonly followed in health care (39 percent), business and professional services (36 percent) and other services (32 percent).

The most common item in emergency preparedness plans is crisis communications, which is included in 91 percent of the plans. Almost as common is inclusion of evacuation procedures, present in 89 percent of plans. Other common items are securing access to facilities in 77 percent of plans, locating employees in 75 percent, first aid in 65 percent, liaison with first responders in 64 percent, legal representation in 42 percent and coping with stress and trauma in 39 percent.

Compared to smaller companies, firms at the enterprise level are far more likely to have implemented written plans that contain these specific items. Eighty-eight percent of large companies have a written plan for crisis communication, compared to 63 percent of mid-markets and 48 percent of small businesses; and 52 percent of enterprises have a written plan for legal representation in the event of an emergency, as opposed to 24 percent of mid-market firms and 17 percent of small companies.

Among the companies with emergency preparedness plans, 58 percent have had the plan approved by their board. Therefore, 43 percent of companies overall have written emergency preparedness plans that have been approved by the board.

“It is quite surprising that so few large companies have board approval on their emergency preparedness plans,” says Cavanagh. “This could be because in larger companies, emergency preparedness is considered an operational rather than a strategic issue, so it may not be considered essential to send it to the board for review.”

The most common procedure companies currently have in place for emergency preparedness is by far the maintenance of an off-site storage of data and documents. This step is essential for business continuity in the event that a firm’s primary facility is damaged or otherwise inaccessible. Fully 81 percent of companies report that they store these materials off-site. But a much smaller proportion (40 percent) has an off-site emergency operations center.

Some basic procedures are performed at least annually by a wide range of companies. Fully 83 percent of companies regularly update their emergency contact information, and 81 percent conduct fire and/or evacuation drills at least once a year. Two-thirds of companies give regular messages about security to their employees and conduct risk assessments and vulnerability audits, while 57 percent follow up the audits by implementing plans to mitigate the identified weaknesses. Some 56 percent of companies activate their backup facility in a test at least once a year.

Business continuity programs originate from the need to recover IT operations in the event of a system crash. So it is not surprising that the most frequently mentioned item in BC plans is maintaining IT systems, present in 92 percent. In general, the most common items on the BC checklist refer to basic utilities, facilities and HR issues.

Companies at the enterprise level are especially likely to have implemented business continuity plans dealing with the conduct of business operations. The energy and finance sectors are most likely to have written business continuity plans, with 92 percent of energy companies and 90 percent of financial firms reporting such a plan.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue