Business Protection Toolkit Preparing IS Your Business Business Protection Toolkit Preparing IS Your Business Contents 2 Introduction 4 Why the Private Sector Should Care 6 Benefits to Preparedness 7 The PS-Prepª Program 8 A Standards-Based Approach 9 Getting Prepared 10 The PS-Prepª Continuum 11 Small/Medium-Sized Businesses 14 Corporate Entities 20 Non-Profit Organizations 21 Frequently Asked Questions 23 Resources Introduction ÒPrivate organizations across the countryÑfrom businesses to universities to non-profit organizationsÑhave a vital role to play in bolstering our disaster preparedness and response capabilities. These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation.Ó Ð Janet Napolitano, Secretary of the Department of Homeland Security The world can be a dangerous and unpredictable place. It seems like we are continuously enduring the painfulÑand sometimes tragicÑeffects of disasters. The tsunami and earthquake in Japan, and flooding and tornadoes in the southern and central United States, are recent events resulting in property loss, personal damages, lives lost, and economic loss. The long-term impact of these events is still not fully understood. For one thing, automobile and construction facilities have been drastically affected, many of which have been shut down both nationally and internationally. As a result, our economy has witnessed an 11% decline in housing and nearly a 9% decline in auto manufacturing. Large entities, including Japan-based Toyota and Sony, and even facilities as far away as central Kentucky, have been affected by these natural disasters. Nor should business owners discount smaller events, such as water main breaks and power outages, which can prove just as detrimental. Every year, electrical power surges, spikes, and outages yield more than $150 billion in damages to the U.S. economy. No organizationÑwhether small, large, for-profit, or non-profitÑis invincible to the aftermath of a disaster. It is essential that leaders of businesses and organizations proactively prepare for disaster, as it is no longer a matter of if a disaster will happen but when. The Private Sector Preparedness Program (PS-Prepª) is here to bring you one-step closer to achieving survivability in the event of anÊemergency. The Department of Homeland Security (DHS) began developing the program in December 2008. PS-Prepª is a voluntary program designed to protect private sector entities (corporate entities, small- to medium-sized businesses, and non-profits) against the effects of a disruption. By equipping leaders and staff with key resources, PS-Prepª can improve an organizationÕs ability to maintain operations during and after an emergency. Whether your organization is small or large, any efforts to improve preparedness are beneficial.ÊPS-Prepª offersÊseveral options toward preparedness: following best-practice programs, aligning to a standard, or certifying to a standard. Prepare to become resilient. Whether your entity may be affected directly, or via the supply chain, itÕs critical to have a plan in placeÑa plan that can protect your employees and organization, and enhance your overall ability to be resilient. Why the Private Sector Should Care "The 21st-century incidents are increasing in frequency, scale, and consequence, and the private sector needs to be prepared to bounce back and help our nation recover." - Bob Connors, Director for Preparedness at Raytheon Corporation Private sector entities are uniquely affected by catastrophic events. With varied resources and numerous stakeholders, private organizations have a responsibility to be prepared. The following examples highlight the importance of preparatory measures: ¥ The 9/11 Commission Report identified the private sector as having significant risks in being able to respond to and recover from disruption. ¥ Private sector leaders should consider the impact of disruptions and possible consequences for employees, families, and neighborhoods/ communities. ¥ Being unprepared in the event of a crisis can lead to significant revenue loss and unanticipated costs. ¥ Interrupted operations could impact organizational relationships and tarnish reputation. ¥ An organization can experience a significant competitive disadvantage if they have not made plans to mitigate loss and down-time during a hazardous event. ¥ Survivors of disasters typically wait up to 72 hours for help to arrive. This makes it even more imperative that entities prepare to be self- sufficient for the first 72 hours. [Timeline of major natural and manmade disasters in the United States between 2001 and 2011] Benefits to Preparedness ¥ Develop a Plan of Action for handling disruptions that is shared with employees and practiced through exercises. ¥ Increase Reliability by proving your organizationÕs ability to mitigate all-hazard conditions. ¥ Minimize Impact to Essential Operations, increasing entityÕs opportunity to continue toÊoperate. ¥ Protect Market Share and Minimize Financial Losses by proactively planning and accounting for recovery resources before they are needed. ¥ Protect Data and Information to ensure decisions can continue to be made to facilitate organization recovery. ¥ Gain Industry Recognition by promoting preparedness with suppliers and clients alike. The PS-Prepª Program PS-Prepª is a voluntary program designed to build awareness and give private sector entities the ability to safeguard their organizations against the effects of any type of disruption (natural or human-induced). The program includes standards that will equip decision-makers with key processes to improve their organizationsÕ ability to maintain operations during and after an emergency or disaster. Through the 9/11 Commission Act of 2007, Congress required DHS to develop and implement a program to encourage nationwide preparedness, resilience, and recovery among private sector entities in the event of any emergency. PS-Prepª offers an organization a path to become better prepared utilizing official standards. As private sector entities vary in size, structure, and specialty, PS-Prepª offers three different standards for continuity and recovery processes. These standards were developed by preparedness experts, approved by ANSI-ASQ National Accreditation Board (ANAB), and adopted by DHS for this program. They are: 1. Disaster and Emergency Management and Business Continuity {NFPA 1600: 2007/2010 editions} Provides a holistic approach to preparedness that addresses organizational management, risk assessment, prevention, mitigation, resource management, response continuity, and recovery. 2. Organizational Resilience and Security Preparedness and Continuity Management {ASIS SPC.1-2009} Provides the steps necessary to prevent, prepare for, and respond to disruptive incidents. It promotes survival and organizational resilience. 3. Business Continuity Management {BSI BS 25999} Provides a basis for understanding, developing, and implementing a business continuity program so that organizations might avoid interruptions to operations. A Standards-Based Approach Many are not aware of the important role that standards play in our day-to-day livesÑproducts may not work as expected, bridges and roads may be impassable, buildings would take longer to build, and may even be unsafe to inhabit. We should really ask ourselves, ÒWhat would the world be like without standards?Ó PS-Prepª uses a standards based approach to business continuity and recovery that will allow organizations to unify their preparedness activities under standards. These standards provide a management system that includes policies, processes, procedures, performance measures, and quality improvement practices. Preparing to a standard allows for uniform and consistent planning, implementing, and improving business continuity within departments and throughout the organization. PS-Prepª can instill confidence in your organization for your customers and stakeholders. Partial List of Common Elements of PS-Prepª Adopted Standards 1. Program Policies and Management ¥ Develop policy, vision, and mission statements. ¥ Devote appropriate personnel and financial resources. ¥ Assign an individual (or committee) with appropriate authority to lead the preparedness efforts. 2. Analysis ¥ Evaluate legal, statutory, regulatory, and industry best practices, as well as other requirements. ¥ Define and document the scope of the preparedness program. ¥ Conduct a risk assessment and impact analysis. 3. Planning ¥ Prevention and mitigation ¥ Incident management ¥ Resource management and logistics ¥ Training ¥ Testing and evaluation ¥ Records management Getting Prepared Now that you know the benefits of being prepared, it is important to understand that being prepared is an ongoing process of improvements that must be reviewed and audited regularly. We understand that the journey to preparedness is not a one-size-fits-all approach; it will be different for small, large, and non-profit entities. If you are making the decision to get prepared for the first time, congratulations! You can start by developing a preparedness policy, a vision or mission statement, and continue to evolve by strengthening internal processes with the development of a comprehensive preparedness program. If you have begun a preparedness program you may improve your organizationÕs level of preparedness through an assessment of internal and external vulnerabilities. Such a review will help you and your employees identify potential gaps in your existing preparedness program. The information found in this brochure will provide you with questions and next steps that you can take to begin or improve your preparedness. Preparing IS Your Business. The PS-Prepª Continuum [Chart showing the positive correlation between size of business and scope of preparedness. Small businesses may find benefit in best practices while large corporations may pursue third-party certification] Small/Medium-Sized Businesses Protect Your Investment So, you are living your dream. You are independent and making your own decisions. You may work alone or with employees. You have poured all of your time, energy, and resources into making your business a success. To protect all that you have invested, it is important that you plan for and consider how your business will survive and recover in the event of a disaster. If you think, it cannot happen to me, you are mistaken. More and more Americans are dealing with the effects of weather-related disasters, power outages, cyber-attacks, and data loss. Any one of these events can be detrimental to a business of any size but often leaves small- and medium-sized businesses vulnerable to business interruption or closures. Where would a disaster leave your business? Planning to remain in business after being impacted by an emergency requires an assessment of your internal and external functions. Preparing can: ¥ Improve its ability to respond and recover ¥ Mitigate risk and offer safeguards for the investment you have made in the business ¥ Promote a strategic decision that will influence how you will handle employees, customers, suppliers, and your workspace in the event of an emergency ¥ Tell your customers and stakeholders what you value ¥ Distinguish you from your competition What You Can Do Today An internal audit will help you identify where you might improve your preparedness. Preparing to a standard will provide you with a uniform and consistent basis for developing the answers to the following questions. Assess your organization by answering ÒyesÓ or ÒnoÓ to the following questions. Your responses will guide you in implementing necessary action plans within your organization. If you prefer a standards-based management system for preparedness that involves the cycle of ÒPlan, Do, Check ActÓ PS-Prepª fits your organizationÕs needs. The following are sample improvements to increase preparedness levels: ¥ Ensure sufficient communication systems are in place andÊoperational. ¥ Maintain proper emergency supplies on-site. ¥ Review your insurance policy. ¥ Evaluate your information technology network. ¥ Verify that certain protection and back-up mechanisms are in place. ¥ Coordinate with emergency response teams. ¥ Compile a kit that includes blueprints for key facilities and an emergency contact list. (I.e. fire and police departments, psychologists, trauma specialists, etc.). Ensure employees know where the kit is located. ¥ Confirm that employees are familiar with your organizationÕs emergency response plan and know whom to contact in such an event. ¥ Schedule a drill to test your emergency plan and continuity systems. ¥ Make development and implementation of a disaster plan a priority. Small/Medium-Sized Businesses Question - Answer Yes or No 1. Do you know what critical operations need to remain continuous in the event of a disaster? (Key personnel, alternate location/facility, processing systems, documentation, vital records, policies and procedures) 2. Do you know which assets are most vulnerable to a disaster? 3. Do you know how you would safeguard assets and maintain organization operations in the case of anÊemergency? 4. Do you have a disaster plan? 5. Is your plan tested and approved by internal leadership and stakeholders? 6. Do you or your employees know what to do in the case of a disaster to avoid operational interruptions? 7. Is there a disaster team organized? 8. Do you know who the team members are and what their roles are? 9. Do you have key contacts documented and a plan of communication? Corporate Entities Prepare to Prosper You are a leader in a large corporate entity. You have worked extremely hard over many years to reach this point. You now manage dozens or perhaps hundreds of staff members. You make connections with peopleÑemployees, partners, and consumers, to name a few. You plan for the future with these people in mind. You make the tough decisions. Now is the time to make the decision to prepare for the inevitable: disaster. Whether it is an act of bio-terrorism or an incident of extreme weather, catastrophes are unpredictable in almost every sense. Proper preparedness will help your corporation minimize loss of revenue, data, productivity, or, worse, life. The disruption of operations for a few hours or a few days can deeply affect your organization internally and externally. Making the choice to prepare today can protect your corporation tomorrow! Large corporate entities are no stranger to disruption. However, disaster preparedness involves much more than a crisis-management team and prepared press releases at the ready. Poor (or non-existent) preparatory measures could compound the effects of a disaster. Large entities have the unique capability to use crises as opportunities. Resilient corporations are likely to recover faster than the competition, gaining market share and customer loyalty. Preparedness can mitigate disruptions by: ¥ Reinforcing corporate survival by planning to sustain core operations and revenue streams through the lifecycle of a crisis; ¥ Protecting revenue and cash flows as a result of planning to protect key assets and sustain central operations; ¥ Protecting key assets, including inventories, property, equipment, data, documents, and intellectual property; and ¥ Protecting and supporting employees. Providing a Uniform Management System Creating a management system that unifies different departments (risk management, IT, security, etc.), and outlines the same principles, is vital to the preparedness of your corporation. Once implemented, PS-Prepª standards provide a system of policy, planning processes, procedures, performance measures, and quality improvement practices. Conforming your enterprise to PS-Prepª standards can lead to certification to that standard, ultimately bringing value to your entityÕs overall worth. What You Can Do Today The following outlines how an organization can begin to plan for peopleÕs roles and functions in emergency response and recovery. 1. Scope and Policy Ð Develop a scope and/or policy statement that addresses disaster management, business continuity management, and organizational resilience. ¥ Define scope and boundaries for development and implementation of the preparedness program. ¥ Establish a policy to provide a framework for setting objectives, along with the direction and principles forÊaction. 2. Requirements Ð Assess your organization to identify and conform to legal, statutory, regulatory, and other requirements that may be consistent with PS-Prepª. ¥ Identify legal and other requirements (laws, regulations, codes, zoning), which govern the organizationÕs activity. ¥ Apply and receive corporate sponsorship. 3. Objectives and Strategies Ð Outline strategic plans to accomplish objectives in risk management, incident prevention/preparedness/mitigation/ response, business continuity, recovery, and corrective/preventive actions. ¥ Identify type and availability of human, infrastructure, processing, and financial resources needed to achieve your organizationÕs objectives. ¥ Plan the operational processes for actions required to achieve the organizationÕs objectives. 4. Risk Management Ð Include hazard and threat identification, risk assessment, vulnerability analysis, and consequence/business impact analysis. ¥ Establish a process for risk identification, analysis, andÊevaluation. ¥ Identify hazards and threats, to include cyber- and human-security elements. These should include loss of IT, telecommunications, key skills, negative publicity, employee or customer health or safety, reputation damage, supply chain outage/disruption, loss of facilities, etc. 5. Operations, Control, and Risk Mitigation Ð Identify requirements for your organizationÕs business continuity strategy, tactics, operational plans and procedures, and/or contingency plans. ¥ Establish operational control measures needed to implement the strategic plan(s) and maintain control of activities and functions against defined targets. ¥ Document the forms and processes to be used before or during an event to ensure activities and participants are captured for review and improvement. 6. Communications Ð Identify requirements for communication and warning as they apply to disaster/emergency management and business continuity. ¥ Develop and maintain a system required for communications and warning capability in the event of an incident/disruption. ¥ Identify requirements, messages, and content required for external communication. 7. Competence and Training Ð Assess, develop, and implement training/education programs for personnel, contractors, and other relevant stakeholders involved in emergency and business continuity management. ¥ Identify and establish skills, competency requirements, and qualifications needed by the organization to maintain operations. ¥ Assign appropriate support representative(s) to lead preparedness. 8. Resource Management Ð Identify resource management and/or logistics as it relates to the allocation of human, physical, and financial resources in the event of incidents that threaten operations. ¥ Establish and document provisions for adequate finance and administrative resources and procedures to support the management program under normal and abnormal conditions. ¥ Make arrangements for mutual aid and community assistance. 9. Assessment and Evaluation Ð Identify requirements for assessments, audits, and/or evaluation of disaster management and business continuity programs. ¥ Conduct internal audits of system or programs. ¥ Establish metrics by which the organization assesses the ability to achieve the programÕs goals and objectives on an ongoing basis. 10. Continuing Review Ð Identify requirements for program revision and process improvement, including correctiveÊactions. ¥ Conduct management review of programs to determine current performance; to ensure continuing suitability, adequacy, and effectiveness; and to instruct improvements and new directions when necessary. ¥ Make provisions for improvement of programs, systems, and/or operational processes. The Value of Certification The integration of uniform preparedness processes equips large private sector entities with the resources to handle major interruptions to operations. Independent and objective evaluation through third-party certification offers validation of that fact. Certification endorses an association with a reputable brand, facilitates organizational recognition by stakeholders, and makes regular audits of preparedness a priority. This process develops disaster awareness within and outside an organization, thereby fostering a heightened sense of security and distinguishing one from competitors. Here are some considerations before pursuing certification: 1. Initial Review ¥ Define the scope of voluntary certification. ¥ Determine which preparedness standard is most appropriate for your organization. ¥ Forecast the allocation of internal resources required. ¥ Seek executive sponsorship. ¥ Organize an internal working team of experts. 2. Internal Analysis ¥ Cross-reference your chosen preparedness standard with internal programs, policies, best practices, and existing regulations that will be relevant to certification. ¥ Gather supporting documentation. ¥ Complete a self-assessment with your internal working team of experts. ¥ Brief the executive sponsor on the results of the self.assessment. ¥ Develop a project plan and timeline to close any gaps discovered through self-assessment, bringing your entity closer to compliance with the chosen standard. 3. Certification ¥ Research, interview, and select accredited third-partyÊcertifiers. ¥ Review your scope, selection of preparedness standard, and process of self-assessment with the certifier. ¥ Discuss cost and timeline for completion of certification process. ¥ Brief the executive sponsor and internal working team of experts on all aspects of the certification process. ¥ Complete certification. Once your organization is certified, there will be a periodic reassessment to maintain emergency preparedness and continuity systems. ANAB manages PS-Prepª certification and administers theÊprocess through independent auditors. Non-Profit Organizations Make Preparedness Your Mission Your mission statement takes on a life of its own as your organization wholeheartedly embraces the work that you collectively care about. What if you were not able to continue your mission through no fault of your own? Unexpected external factors could leave your organization severely weakened. Many non-profit organizations begin plans to prepare but quickly get bogged down in the day-to-day operations of their mission. However, making preparedness a mission keeps your vision intact. Preparedness plans are beneficial for recovering from disasters large and small. Make the decision today to protect your mission tomorrow! With more than 1.6 million non-profit organizations in the United States, efforts to prepare for disaster must meet immensely diverse needs. As categories of organizations (religious, educational, charitable, scientific, literary, agricultural, fraternal, etc.) vary, these groups might suffer from a crisis or help victims recover from one. Many have not implemented even the most basic disaster plan. Having one in place is critical to an organizationÕs ability to sustain disaster. Quality preparation measures can: ¥ Safeguard your employees, volunteers, beneficiaries, community at large, and other internal and external stakeholders; ¥ Promote partnerships with corporate targets more effectively; ¥ Appease concerns of members of your organizationÕs board or other controlling body about the level of preparedness; ¥ Boost your organizationÕs reputation at the local and/or national level; ¥ Make vital needs and services available to vulnerable populations in the event of a crisis; ¥ Protect organizational assets; and ¥ Strengthen partnerships and collaborations with other non-profits, government, and private sector organizations. What You Can Do Today ¥ Assess the hazards that could potentially affect your organizationÑplan for those first (for example, is your facility vulnerable to flooding, or how could an electrical outage affect your ability to provide services?). ¥ Communicate with staff and volunteers about your preparedness plan. ¥ Form a planning team, identify a leader, designate an alternate facility, and plan for staff with special needs. ¥ If your organization does not have a specific mission for disaster response, discuss what role, if any, your organization will take. If a role emerges for your organization, begin to plan and create alliances to meet the mission of that role. ¥ If your organization has a specific mission for disaster response activities, review and drill your plan. Frequently Asked Questions What is the PS-Prepª Program? PS-Prepª is a voluntary program designed to build awareness and give private sector entities of all sizes the ability to safeguard their organizations against the effects of any type of disruption (natural or human-induced), equipping owners with key processes to improve their organizationsÕ ability to maintain operations during and after an emergency or disaster. Who is the audience? PS-Prepª offers a private sector entity (a company, facility, not-for-profit corporation, hospital, stadium, or university) a path to assess and meet nationally recommended standards for levels of emergency preparedness. What are standards? Standards make our lives easier, safer and healthier. Without them, many everyday actions we take for granted would be unpredictable. They are fundamental building blocks of society, representing a common commitment to quality, safety and ethical practice. Why do we need standards? Many are not aware of the important role that standards play in our day-to-day livesÑproducts may not work as expected, bridges and roads may be impassable, buildings would take longer to build, and may be unsafe to inhabit. We should really ask ourselves, ÒWhat would the world be like without standards?Ó There may be inferior quality and incompatibility with other products and services, or in extreme cases, non-standardized products may even be dangerous. Standardized products and services provide the user with added confidence in their safety, quality, security and flexibility. What makes this preparedness program different from other programs? PS-Prepª can offer organizations several options toward preparedness, whether itÕs following best practice programs, aligning to a standard, or certifying to a standard. Is the program mandatory? No, PS-Prepª is a voluntary program in which private sector entities are encouraged to participate to ward off the detrimental effects that can result from operational interruptions. Who oversees the certification? DHS has selected the American National Standards Institute (ANSI)ÐAmerican Safety for Quality (ASQ) National Accreditation Board (ANAB) to develop and oversee PS.Prepª certification and manage the process through independent auditors. Cost Certification costs will vary depending on the scope of the conformity assessment. Visit the ANSI website for further details about qualified certification bodies who can audit your preparedness program. Resources Websites FEMA Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prepª) Resource Center www.fema.gov/privatesector/preparedness FEMA Private Sector Focus www.fema.gov/privatesector Are You Ready? An In-depth Guide to Citizen Preparedness www.fema.gov/areyouready Ready Business www.ready.gov/business The Red Cross Ready Rating Program www.readyrating.org Institute for Business and Home Safety (IBHS) www.ibhs.org ANSI-ASQ National Accreditation Board www.anab.org ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems Ð Requirements with Guidance for Use www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf BS 25999 Business Continuity www.bsiamerica.com/en-us/Assessment-and-Certification-services/Management-systems/Standards-and-schemes/BS-25999 NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs www.nfpa.org/assets/files/PDF/NFPA1600.pdf U.S. Small Business Administration Ð Disaster Preparedness www.sbaonline.sba.gov/services/disasterassistance/disasterpreparedness Links to the Applications Organizational Resilience: Security, Preparedness, and Continuity Management System www.anab.org/media/22041/fa2024-ps-prep-asis-spc.1ap.pdf Business Continuity Management www.anab.org/media/22044/fa2025-ps-prep-bs25999-2ap.pdf National Fire Protection Association www.anab.org/media/22047/fa2026-ps-prep-nfpa1600ap.pdf Social Media www.facebook.com/fema www.twitter.com/fema Contact Information Marcus Pollock 999 E Street, NW Washington, DC 20472 (202) 646-2801