1 Welcome to the DRI International National Preparedness Month Virtual Town Hall AnneMarie Staley NYSE EuroNext Russell Wooldridge DRI International Moderators
2 Chloe Demrovsky, Director of International Operations DRI International New International Opportunities Introducing DRI Japan, a non-profit organization, offering certification in Japanese Announcing the formation of DRI India serving India and neighboring countries DRI Malaysia: International BCM Conference: Managing the Unexpected – “Are We Really Ready For It?” October 26-28, 2010 in Kuala Lampur.
3 Present a “thought leadership” forums Provide virtual venues for participants to earn CEAPs Provide incentive for certified professionals for visiting The Professional Development Committee Daniel Mikulsky, Chair CSC
4 The BOG Committee Benefits Discounts & group benefits for Certified Professionals Outreach Help manage current and future relationships Grants Define and seek grants Michelle Cross, Chair Wells Fargo
5 Len Pagano, President & CEO SafeAmerica Foundation Nearly ½ Million Pledged to Drill What companies can do Plans for 2011’s March to 1 Million DRILL DOWN for Safety
6 The State of Company Certifications Al Berman, Executive Development DRI International
What Are We Trying to Accomplish? ◦ PREPAREDNESS Emergency Management Disaster management Business Continuity Is this New? ◦ Regulations ◦ Standards ◦ Guidances 7
Recommendation: We endorse the American National Standards Institute’s recommended standard for private preparedness. We were encouraged by Secretary Tom Ridge’s praise of the standard, and urge the Department of Homeland Security to promote its adoption. We also encourage the insurance and credit-rating industries to look closely at a company’s compliance with the ANSI standard in assessing its insurability and creditworthiness. We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private- sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. 8
9 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO (Previously ISO17799) FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CARJHACO Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Strengthening the Resilience of US Financial System Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Guideline Federal and Legislative BC Requirements for IRS Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) Post-9/11 Pre-9/ Safety Act FCD-1/2 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221HB292BS25999 SS507 – SS540 TR19 CA Z1600 ISO/PAS HiTech Act of 2009 DRII Title IX – Business Continuity Regulations and Standards
10 a. Goal of the new program is to provide a method to independently certify the emergency preparedness of private sector organizations, including their disaster / emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities, and does not involve any individual professional certification. b. The program will be voluntary. c. Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others. d. The program will be administered outside of government by 3rd party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. e. One or more preparedness standards can be designated. NFPA 1600 is reference by example. f. Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced, but rather recognized and integrated. g. Special consideration will be made for small business. h. Proprietary and confidential information is to be protected.
A list of Recommended Standards Against Which a Company May Certify: ASIS International SPC Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). British Standards Institution (2007 Edition) - Business Continuity Management.(BS 25999: Code of practice for business continuity management and BS 25999: Specification for business continuity management) National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. 11
12 ANSI-ANAB In progress - ANSI DHS
DRI/NFPA Course is proceeding with ANSI-CAP Accreditation for the Course ANSI-CAP follows the accreditation process outlined in the international standard ISO/IEC 17011, General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies and recognized by ANSI-ANABISO/IEC Passing the Exam will Provide a Certificate of Completion (Because training is a requirement there can be no examination only) This Certificate will Be Required to Seek CBCA/CBCLAs DRI International will maintain recertification through continuing education (RSBSQA requirement) 13
Regulations Created by Government/Industry Regulatory Bodies Punitive ◦ Fines ◦ Shutdown Subject to Annual (Operational/Financial) Audit Audit Conducted by Third Party Results are Board Issues May Create Vendor Requirements ◦ FFIEC ◦ HIPPA
Standards Voluntary Non-Punitive Auditable Through First, Second or Third Parties State of Flux ◦ NFPA 1600 is the ANSI National Standard is in Revised Every 3 years ◦ ASIS/BS25999 are Currently in the Early Stages of Seeking ANSI Accreditation not Due until at Least End of 2009 ◦ ISO 22399/PAS (Publicly Available Specifications) Interim State ◦ New Australian Standard ◦ New Singapore Standard
A Certification by an Approved Certification Body ◦ No Endorsement by DHS/FEMA or Federal Government A Distancing by DHS from the Process Private Sector Certification Bodies ◦ Available Before PS-Prep NFPA 1600 BS SS507 – SS540 Private Companies 16
No Get Out of Jail Free (Safe Harbor) ◦ Safety Act of 2002 No Reduction in Insurance Premiums Does Not Exempt Regulatory Compliance DHS Cannot Make It Mandatory – Only Legislative Action Can ◦ Highly Unlikely ◦ Consider Sarbanes-Oxley 17
So Why Do It Rewards ◦ May Satisfy Customer Inquiries Supply Chain RFPs ◦ Create Uniformity Multi-Nationals ◦ Increase Preparedness PS-Prep Raised Awareness of Need to Prepare
Risks Risks ◦ Discoverable (Corrective Action Plan) ◦ May Not Provide Legal Protection Judge and Jury Decision No Known NFPA1600 Defense ◦ Quality of Auditors ◦ Potential Conflict Financial – Operational Audit Corporate Governance Regulation ◦ Expensive
What to Do Now Focus on the Regs * Broaden Your Viewpoint * Keep Your Eyes on Transition * Hold Off On (the Actual) Certification * Walk Don’t Run * Talk to Your General Counsel (DHS Does) * The Standards Race Author: Mark Carroll
Final Thoughts and Ideas Let’s Work On Preparedness ◦ Small Steps – Easily Accomplished Safe America National Preparedness Month – Join the Coalition Local Community Activities Local Red Cross Chapter