Should my company seek business continuity certification under the Voluntary Private Sector Preparedness Certification Program? If so, what should I be doing to prepare, and how do I show cost benefits of certification? 

Don Hubbard, Security Executive Council Emeritus Faculty, Custom Group

In today’s threat environment, it is imperative that each organization inculcate the concept of resilience into its culture so that the enterprise may not only survive, but thrive in the aftermath of an incident or disaster. I believe that one of the best ways to do so is to have robust business continuity plans that show clear accountabilities and are exercised frequently. A big part of exercising plans is identifying gaps. Going through the certification process will help identify gaps and demonstrate to top management that the organization is as prepared as possible.  

The first step, in my view, is to identify the key elements of the various standards which may be adopted into the certification program and then overlay those elements onto the organization’s existing plans. Standards specifically mentioned are NFPA 1600, ISO/PAS 22399-2007 and British Standard (BS) 2599.

Some gaps likely will be apparent and remedial steps can be taken. While there are currently no concrete financial incentives to go through the certification process, many believe market forces will make it a de-facto requirement, much as the Payment Card Industry standards are now virtually mandated by the marketplace.

In addition, many believe the plaintiff’s bar, rating agencies, boards of directors, audit committees, institutional investors, stockholders, business partners (e.g. vertical supply chain) and other key stakeholders will encourage certification.

Phil Samson, Principal, PricewaterhouseCoopers LLP Business Continuity Management Services

For companies that have invested in their business continuity management (BCM) program — including a related risk management governance organization and procedures, periodic testing and update of critical components, and ongoing evaluation of exposures — certification will help validate the robustness of the program.

For those organizations that have less (or no) emphasis on BCM, now would be a good time for those with risk management responsibilities to use the tenets of the certification program to build an internal business case for a stronger BCM focus. Early adopters may begin applying for certification within the next year, and these early adopters may be your customers or key business partners, who will ask when your BCM program will undergo the certification process.