Lisa DuBrock, CPA, CBCP, MBCI — a contributing writer to this website — has recently written an article published in the Winter 2013 Edition of the Edison Electric Institute Newsletter — which edition was dedicated solely to updates and stories about key business continuity issues in the electric power industry.
The Edison Electric Institute (EEI) is the association of United States shareholder-owned electric power companies. Its members serve 95 percent of the ultimate customers in the shareholder-owned segment of the industry, and represent approximately 70 percent of the U.S. electric power industry. EEI also has more than 65 international electric companies as affiliate members, and more than 170 industry suppliers and related organizations as associate members.
Established in 1933, EEI works closely with all of its members, representing their interests and advocating equitable policies in legislative and regulatory arenas. In its leadership role, EEI provides advocacy, analysis, and critical industry data to its members, to Congress, government agencies, the financial community and other opinion-leader audiences.
If you or your organization works within the electric power industry, click here for more details and information about what this institute can offer and to register to become a member and receive access to this particular newsletter Winter 2013 edition.
Fortunately, Lisa was able to offer our website total access to her article —-so, as you read her article below, you may find common areas of interest and application that will help your own organization better understand the difference between certification and compliance and how implementing a PS-Prep standard can both fit into that certification vs. compliance consideration as well as how any of the PS-Prep standards can add value to your organization.
The article is also offered as a valuable reading resource to submit to those PS-Prep planning strategy team members in your organization:
10 Steps to Conformity, 8 Steps to Compliance:
Steps to Implementing a PS Prep Standard
By Lisa DuBrock, Radian Compliance
Compliance vs. conformity, what does that mean? If an organization selects not to get certified they have instead decided to comply with a standard. Should an organization decide to get certified they will participate in a conformity assessment to a standard.
One of the questions that is asked the most about becoming PS Prep certified is: How does my company get certified? The question that should be asked before that is: Should my company get certified? There are reasons to get certified (from supply chain requirements, to competition) and even some reasons not to (there is currently no driving need to get certified, and the one most frequently sited (but not necessarily correct)….it’s too expensive).
In general, the question that can be asked back is: “Why go to college for four years and then not get your degree?”
Below are a series of ten steps for a company to take to get certified. Only two of the steps can be eliminated if an organization has decided to comply with a standard.
Steps to Implementation of a PS Prep standard
1. Pick a standard – There are currently four standards that are recognized within the PS Prep program. Those standards are: ANSI/ASIS’ SPC.1: Organizational Resilience: Security, Preparedness and Continuity Management Systems (ORMS), BSI BS25992:2007 Business Continuity Management System (BCMS), and NFPA 1600:2007 and 1600:2011 2009 Standard on Disaster/Emergency Management and Business Continuity.
Currently not part of the program, but expected to become part of the program is ISO 22301:2012 Societal Security Business Continuity Management Systems. Because Internationally, ISO 22301 has replaced BS 25999-2, both standards are discussed here.
How does an organization go about picking a standard? Can an organization pick and choose with the various standards? These are frequently asked questions. First some clarification. You may certify to multiple standards, but you cannot take pieces from each standard to get a certification. The certification is PER standard. Therefore, the short answer is ‘yes, you can choose multiple standards’. There is however always a response with the addition of ‘…but…..’ as a qualifier.
In some instances due to the very different requirements of a business, multiple standards may work best, but if the organization chooses multiple standards, and certification, it must get certified in each standard in its entirety. One example may be within the electrical industry. The corporate functions might wish to follow one standard, while the traditional electrical network functions might choose another standard. In this instance, there is a clear delineation between the areas of the business.
What cannot be done, however, is to use a clause from one standard, and another clause from another standard within the same business area.
The strengths and weaknesses of the different standards have been debated on the blogosphere quite a bit so, just as a reminder, the strength of the individual standards are:
- · ANSI /ASIS SPC.1 is risk based and includes security and continuity; it also has a normative reference to ISO 27001 Information Security Management System.
- · BS 25999-2 was developed by the British Standards Institution in conjunction with the BCI (Business Continuity Institute) and follows closely the BCI Best Practices.
- · ISO 22301 is the newest standard and has been published by ISO internationally and will be recognized around the world. It is a management system standard and was based in part on BS 259992.
- · NFPA 1600 was developed by the National Fire Prevention Association. It is heavily weighted towards emergency management and response. The 2007 version is not management system based whereas the 2011 version incorporates a limited number of the management system principles within the standard.
The recommendation is to review each standard and their specific requirements to determine what is best for your business.
2. Set a scope – Once an organization has picked a standard, the next most important thing for the organization to accomplish is to set a scope for its system. This is typically a formal scope statement that becomes part of the Business Continuity or Organizational Resilience Policy. This scope statement is typically defined with various different boundaries, including geographic, business line, business function.
In defining the scope statement, it is important that senior management agree to the scope, and it needs to make sense for the organization. In some organizations, the business continuity scope has been defined as the program office that provides governance and supports business continuity, along with the emergency management process and corresponding roles and responsibilities. This is a way for an organization to wrap its arms around a management system, but may lead to some very specific enhancements to support the requirements of an ISO type management system.
As a consultant, a frequent complaint I hear is ‘Of course we have a management system in place, we made XXX dollars last year’. . Unfortunately they do not necessarily have an ISO type “management system” in place.
An ISO management system works on the premise of ‘Plan, Do, Check, Act’ with a continual improvement cycle driven by management accountability.
3. Perform a self or pre-assessment – This type of review is specifically against the standard that the organization has adopted. A self-assessment may be performed either by the organization or a competent consultant. A pre-assessment is a term specifically used by a registrar and is performed prior to a registration conformance assessment. In both cases, gaps to the standard are identified. In the case of a self-assessment remediation plan suggestions may also be included.
There are a few tools that can be purchased by an organization to conduct a self-assessment. These tools do not necessarily provide the detail and reasoning behind a particular standard clause, so interpretation by the assessor is paramount to getting the appropriate answers.
4. Close the gaps – There may be some gaps defined as an output from the gap assessment. These gaps can be sorted into two types of areas: management system gaps or Business Continuity discipline gaps.
- · Management System Gaps – These are gaps that are standard to any management system. In the PS Prep program, this includes BS 25999, ISO 22301, SPC.1 and to a lesser extent NFPA 1600. A management system follows not only the plan, do, check, act life cycle but also a number of common elements. Management commitment, resources and training, management review, internal audit and continual improvement are present in all management system. Setting a scope and in most cases measurable objectives are also requirements.
- · BC Discipline Gaps – These types of gaps are very familiar to business continuity professionals. They would include gaps to a BIA, Risk Assessment, Incident Response, Plan Development, Plan Maintenance and Plan Testing. The standard you select will dictate to you the requirements of your BCMS/ORMS.
5. Select a Registrar *- This is the first area where compliance and conformity to a standard diverge. If you are looking for compliance, you do not need to select a registrar. If you want to be certified as being in conformity with PS Prep and a standard you will need to select a registrar. Due diligence is required. As of the date of this article there were two registrars that have been designated as PS Prep accredited registrars. A full listing however can be found at the following link. http://anabdirectory.remoteauditor.com/. When selecting a registrar, try to find one that has experience in the electrical or utility industry. Also ask for the resume of the auditor you will be dealing with. It is not the sales person you are talking to, but rather the auditor who will be communicating with you over a three-year period. If your organization has other management system certifications like ISO 9001 or ISO 14000, contact the management representative in your organization for those standards and ask them for assistance.
6. Provide Training – Competence of personnel within the management system is required by most of the standards, including not just competence to the business continuity discipline but also to the standard you selected and the organization’s BCMS/ORMS. An awareness training class should be considered for all members directly within the BCMS/ORMS and for key interested parties.
7. Operate your system – Conformity to a standard is much more than creating documentation. All of the standards approved by the PS Prep program need to ‘do’. This is the process where evidence is collected over a period of time. This evidence shows an auditor that you are in fact operating within your BCMS/ORMS. This includes such things as management review minutes, internal audit reports, proof of updates to your business continuity plans, tests of those plans, actual events, etc. An old adage is once you ‘say what you do, you have to do what you say’.
8. Internal Audit – An internal audit is part of every standard within the PS Prep program except for NFPA 1600. This will probably be changed for the next version of this standard due in 2013. An internal audit should be conducted annually. It is a little different from typical internal audits which are mainly based on financial, operational and/or system internal controls. This internal audit is against the standard. Issues or gaps that are noted during an internal audit are typically considered non-conformities and are brought forward as part of the management review process and the continual improvement process.
If you are seeking certification, you will need an internal audit conducted prior to your stage one and your stage two registration audit.
9. Certification Path * – This is the second area that is not required if the organization is seeking compliance to a standard. However if you are seeking certification or conformity to a PS Prep standard, this is your path to certification.
a. Stage 1 – a documentation review. This is a review by your registrar auditor to determine that you have all the required documents in place and that the elements of the standard are present in these documents.
b. Stage 2 – an effectiveness review. This is a conformity assessment against the operation of your organizations BCMS/ORMS. In order to be successful with this review you will need to show evidence that you are operating your BCMS/ORMS. Upon successful completion of this review, you will be recommended for certification.
c. Certification – Typically between three to six weeks after your successful completion of your stage two audit, you will receive a certificate of certification. This certificate will include your agreed to scope statement as you defined in step 2 above.
10. Improve your system – Just as your current business continuity program is not stagnant, your BCMS/ORMS will also not be stagnant. Throughout your certification period you will be identifying both preventive and corrective actions, upgrading your system, conducting internal audits and management reviews. Continual improvement is really what a great management system is about.
Your certification is good for three years and during this time your registration auditor will visit you no less than annually and during this time period they will be reviewing certain elements of your system against the standard. At the end of the three years, you receive a re-certification audit and the three year cycle continues.
Should you decide to follow eight steps to compliance or ten steps to conformity — your adherence to a standard will provide your organization with more maturity to your program. Within the PS Prep program and internationally, adherence to a standard is adherence to an excellent baseline.
Radian Compliance, LLC www.radiancompliance.com provides Governance, Risk and Compliance services with offices in Chicago, IL and Washington DC. We guide our clients to the best processes and solutions enabling them to make their business resilient, secure information, achieve IT Governance and effectively manage vendor compliance requirements through the implementation of Business Continuity Management Systems Information Security Management Systems, and IT Service Management System frameworks. Radian Compliance works in an advocacy role to ensure the organization has the education and tools to continue managing their compliance requirements beyond our engagements.
Lisa DuBrock, CPA, CBCP, MBCI, firstname.lastname@example.org is a Managing Partner for Radian Compliance, LLC where she specializes in implementing both Business Continuity and Information Security standards for her clients. She is a recognized Technical Expert and Trainer, by BSI (British Standards Institution), on the BS 25999 – Business Continuity Management System Standard, a recognized Trainer for ASIS on SPC.1 Organizational Resilience, and an RABQSA-RES Certified Provisional Lead Auditor. Lisa has spoken on numerous occasions on the benefits of implementing the standards and is a recognized writer and speaker on PS-Prep (Private Sector Preparedness). She welcomes and will respond to any specific questions you may have on the Standards within the PS Prep program.
As always, our staff welcomes your input and comments to be shared with our growing readership concerned about organizational resilience and other disaster preparedness topics.