Archive for PS-Prep

Business Continuity Planning – Beyond the Doomsday Scenario

At the Continuity Insights Management Conference 2012 that I recently attended in Scottsdale, AZ, there was a lot of conversation around PS-Prep which bled into the discussion of “Why get certified” or, the more generic question of, “Why perform business continuity planning?”  An oft repeated answer to this question, echoed by business continuity planners around the world is, “Because without a plan you will not survive as a company.”

I think this is a disingenuous answer without any history to support it.  Where exactly is the evidence of this fact?  What historical data can you share with me, or the CEO you are trying to convince, that this is the case?  I am confident that you can dig up cases of small companies that did not survive a disaster, but where is that story about the big guy who did not survive the disaster?

The one and only case study I can think of off the top of my head is Enron, but that was a disaster of a different kind.

Look at BP and the horrific Gulf Coast disaster – they survived.  Did they have a plan in place for this?  Maybe … if so, most professionals would argue against its effectiveness.  Were they certified?  No.

Look at Cantor Fitzgerald, the one company most widely spoke about concerning the extent of their losses during the events of 9/11.  Survived.  With much loss and many significant challenges, but they are still in business.

We found this article that lists 8 Infamous Business Disasters – those companies all survived – albeit some under a new name and different business model, but they did survive.  Now, not all of these cases are the kinds of disasters we plan for, but I can’t find that one poster child event that proves the statement, “Without a business continuity plan, you will not stay in business.”

Now look, I am a business continuity planner.  I make a living out of helping companies put these programs in place.  I want … no, I NEED … CEO’s and Boards of Directors to embrace the need for these plans and to invest in professionals like me to help put them in place.  But, I think we need a better sales pitch than the shallow threat of; this is needed to survive a disaster.

I don’t think we need C-level executives to buy into this all or nothing proposition with business continuity planning.  No, I think that the message should be:  Business continuity plans will allow us to mitigate our losses should a disaster occur. The goal is to ensure the investment we make in our plans and solutions is justified by the potential losses that could occur considering the probability that an event happens.

The losses that could occur is measured by performing a Business Impact Analysis and the probability that an event happens is measured by a Risk Analysis.

We plan because it is a reasonable business practice to protect our assets and our stakeholders against losses that could impact the market value of our company not just if, but when, a business interruption event occurs.  If you want the answer to, “Why get certified”, check out this earlier blog we posted.

We need to sell business continuity planning using business terms that executives can understand and stop with the doomsday scenario selling technique.  At least, that’s the way I see it.

In the meantime, if you can share those stories with me that support the position companies will not survive without plans, I would love to read them.  Thanks.

PS-Prep: Why Get Certified?

For those of you who don’t know, PS–Prep is a voluntary private sector preparedness accreditation and certification program established by the US Department of Homeland Security as a direct result of a law passed by Congress following the Recommendations of the 9/11 Commission.

Basically, PS-Prep provides a means for private sector organizations that have business continuity, disaster recovery and emergency preparedness programs compliant with any one of three widely accepted planning standards to be certified by trained and approved Certifying Bodies (CB).

Although backed by Public Law 110-53, the need to be certified is not a law.  This is strictly a voluntary program.

So, the question is – Why get Certified?

This question is a topic of much debate amongst business continuity professionals, certifying bodies and the public authorities trying to promote PS-Prep.  I don’t think anyone is arguing against the benefits or principals behind PS-Prep, but rather, are skeptical that PS-Prep will provide any real added incentive to corporations to plan.  There is some discussion on the appropriateness of PS-Prep being a government initiative versus managed by a private sector forum, and there is some debate on whether or not PS-Prep has aligned itself with the right, or all of the right established standards, but these are arguments of the details and do not provide answer to the question, Why get certified?

I think many of the proponents of PS-Prep are answering the wrong question.  Much of the argument I hear supporting PS-Prep really simply answers the question, why do business continuity planning?  Why plan is a much different question than why get certified.

Although I have met up with violent opposition to my belief, I think the most compelling reason today supporting the benefit of being certified is to provide a defensible position for after-the-disaster litigation showing your organization had taken due care to protect your organization up to DHS supported standards.

Remembering that the answers; because it is a good business practice; it is necessary to stay in business; it protects your employees and corporate assets – are all answers to the question “why plan” and not “why get certified” – I think providing a certificate showing you planned to DHS standards as a defense in court helps support the PS-Prep initiative.

Another potential answer to “why certify” is to leverage a marketable position communicating that your organization has taken steps to protect its organization and assets consistent with the findings in the 9/11 Commission’s Report.   Should PS-Prep become a more recognizable label, including a banner or logo stating PS-Prep accredited in advertising and marketing material could have some benefit.

What DHS would love to see happen is for large, private companies to embrace PS-Prep and make it a requirement that their suppliers, vendors and partners be PS-Prep certified.  Should that start to occur, the answer to “why get certified” will be market-driven and accelerate the program tremendously.

One other impetuous that might help get PS-Prep going is to have insurance companies that offer loss of business insurance to discount these premiums for firms that are PS-Prep certified.

I hate sounding like a skeptic, but until you can show real marketable, return on investment reasons for certifying these programs, I just don’t see companies jumping on the PS-Prep band wagon.

But the debate is not over and PS-Prep is just starting to hit the headlines.  So, it should be interesting to see how this plays out over the next few months and years.  Regardless of PS-Prep acceptance however, business continuity planners should (and I believe most of the good ones do) continue to create programs consistent with and in compliance of the standards identified in the PS-Prep program.