A Framework for Voluntary Preparedness

Earlier this year, a new federal law calling for the creation of a voluntary private-sector preparedness standards program resulted in the collaboration of a number of industry organizations to prepare a report in response to Homeland Security legislation. The organizations that helped prepare the report: ASIS Intl., Alexandria, VA; the Washington, D.C.-based Disaster Recovery Institute Intl. (DRII), the National Fire Protection Association, Quincy, MA (NFPA); and the New York City-based Risk and Insurance Management Society Inc. (RIMS).

This interdisciplinary team combined expertise and perspectives to develop a mechanism that addresses verifiable private-sector preparedness called for in the new Homeland Security law, "Implementing Recommendations of the 9/11 Commission Act of 2007" (also referred to as HR 1 and Public Law 110-53). The interdisciplinary team's conclusions and recommendations have been released in Framework for Voluntary Preparedness.

ASIS, DRII, NFPA, and RIMS brought together professional associations that view preparedness from security management, business-continuity management, emergency management, and enterprise risk management perspectives. Framework for Voluntary Preparedness highlights the commonality of these different perspectives and approaches.

"In the report, the interdisciplinary team recommended that, in order for the private sector to adequately and voluntarily establish preparedness programs, it should be given the flexibility to choose from various standards, guidelines, and best practices that best meet their needs for preparedness," says Mark Geraci, chairman of the ASIS Intl. Commission on Standards and Guidelines. "The report identifies core common elements of a preparedness program and provides a crosswalk of existing standards, guidelines, and best practices. Preparedness and resilience, while important to businesses and organizations, must be done in a cost-effective manner that's in sync with the organization's culture and business model."

Small businesses in particular need to tailor their preparedness and resilience strategies to their financial realities. The report finds that, depending on the structure of businesses and organizations in the private sector, many are already pursuing elements or complete programs in preparedness based on the viewpoint of one or more of these disciplines. These organizations should be afforded the flexibility to build on their existing programs.

Assuring organizational resilience in the private sector requires the appropriate management of the risks related to intentional, unintentional, and naturally caused disruptions, which organizations of all sizes and types face. The report emphasizes that one size does not fit all, and it's important that the private sector have appropriate choices that fit their respective business needs. The report also notes that a major barrier to preparedness and resilience management is lack of knowledge and tools, particularly in the case of small businesses.

View Framework for Voluntary Preparedness online.

Mapping the Core Elements for Preparedness
Preparedness involves a defined methodology, program, process, and/or system to address critical core elements, which have been defined by the interdisciplinary team of ASIS, DRII, NFPA, and RIMS as follows:

Policy statement and management commitment.
Scope, program roles, responsibilities, and resources.
Risk identification, assessments, and criticality impact analyses, including legal and other requirements.
Prevention and mitigation evaluation and planning, both strategic and tactical.
Incident management, comprising procedures and controls before, during, and after a disruption (including emergency management of people, business operations, and technology).
Recovery (including rebuilding, repairing, and/or restoring).
Awareness and training.
Exercises and testing.
Program revision and improvement.

SOURCE: FRAMEWORK FOR VOLUNTARY PREPAREDNESS