HOME EXECUTIVE LIVING E-NEWSLETTER SUBSCRIBE READER SURVEY CONTACT US
 
 

 Archives
All Archived Issues
Archives by Topic
Keyword Search

 Current Issue
From the Editor
From the Publisher
Features
Departments

 For Our Readers
Subscribe
Order Reprints
Order Back Issues

 For Our Advertisers
Welcome
Our Advertisers
2008 Editorial Calendar
Magazine Circulation
Reader Profile
Advertising Rates/Specs/Options
Testimonials

 About Us
Executive Decision Team
Contact Us
 
 

A Certification Standard Has Not Emerged in Emergency Preparedness Plans


Author:



The majority of U.S. companies have a formal, written plan for emergency preparedness, according to a report released by The Conference Board. But a widely adopted certification standard for such plans does not exist yet.

Three-quarters of the 302 senior corporate executives surveyed in mid-2007 said that an emergency preparedness plan exists in their companies. The analysis was sponsored by the U.S. Department of Homeland Security as part of an ongoing research project to assess the effectiveness of security in American companies.

The survey sample was intended to reflect the characteristics of American businesses as defined by size and industry. The sample was divided into three strata: Small business (companies with $5 million to $50 million in annual sales); mid-market ($50 million to $1 billion in sales); and enterprise ($1 billion or more in sales). Within these groups of companies, the survey polled executives with responsibility for security, business continuity, crisis management and emergency response efforts.

A "voluntary" certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review. As this report goes to press, it is expected that several different standards may qualify for certification.

"Currently, the most significant finding is that none of the many standards proposed for certification has attained widespread usage in the private sector," says Thomas Cavanagh, senior research associate, global corporate citizenship, The Conference Board.

The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23% of the surveyed companies. Following close behind, used by 20% of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12% of companies.

The Larger the Company, the More Prepared for Certification

The larger companies are much more likely to have implemented the most widely known standards. At the enterprise level, 30% have adopted the ISO information security standard, compared with 24% of mid-markets and 15% of small businesses. Despite its high visibility as the National Preparedness Standard, NFPA 1600 has been implemented by 29% of large companies and less than 18% of those below the enterprise level. NIMS (the National Incident Management System) has been adopted by 19% of enterprise-level firms, compared to 10% of mid-markets and only 4% of small companies. The discrepancy is most dramatic with regard to C-TPAT, which has been implemented by one-quarter of large businesses but only single-digit percentages of companies with less than $1 billion revenue.

As with the other procedures examined, the size of the company has a major impact on the level of preparedness. Roughly three-quarters of companies at the enterprise level conduct regular risk audits, mitigation, and activation of their backup facilities, and two-thirds undertake regular tabletop exercises. Annual risk audits are conducted by 69% of mid-market companies, and 53% of mid-markets report that they conduct regular mitigation activities and backup site activation. However, only 31% conduct tabletop exercises at least once a year. Fewer than half of small businesses report that they conduct any of these activities on an annual basis.

Different industries have different approaches to the pursuit of preparedness. The clearest example is the IEEE SCADA standard, which is used by many firms in the energy industry (38%) but is rarely encountered in other sectors of the economy. NIMS is the most widely utilized in the energy and healthcare industries (38% and 29% respectively). The financial services industry leads the way in the implementation of NFPA 1600 (36%) and the ISO IT standard (33%).

Ownership Structure and Industry are Factors

Ownership structure is also strongly related to these aspects of preparedness. Among publicly traded companies, at least 70% report that they conduct risk audits, mitigation, and backup site activation at least once a year, and 59% undertake annual tabletop exercises. The proportion conducting annual risk audits falls to 58% for privately held companies and 47% for family-owned companies. Only 52% of private firms and 37% of family-owned companies conduct annual backup activation, and regular mitigation is undertaken by 43% of private companies and 40% of family firms. Regular tabletop exercises are conducted by only one-third of private companies and one-tenth of family-owned businesses.

The financial services sector is at or near the top of the list of industries on virtually every one of these procedures, with especially impressive showings for backup facility activation (72%) and tabletop exercises (64%). Service industries are most likely to schedule "work from home" days, a procedure most commonly followed in healthcare (39%), business and professional services (36%), and other services (32%).

Page: 1 2  
 

Executive Journal
Weekly e-Newsletter
 

  Headline Articles
  


 
 
Terms of Use | Privacy Statement | Copyright 2008 © United Publishing Media | Powered by MediaCartel