On 15 October 2009, the U.S. Department of Homeland Security (DHS) announced three proposed standards that would be used by the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) program, which enables private-sector businesses, nonprofit organizations and universities to receive emergency preparedness certification. The public can submit comments on the standards and the program at www.regulations.gov in Docket ID FEMA-2008-0017 by 15 November 2009.

In 2007, the U.S. Congress passed Public Law 110-53 (see http://www.fema.gov/privatesectorpreparedness/) mandating the DHS to issue a voluntary private-sector organizational-level certification program on emergency preparedness: the PS-Prep program. The adoption of existing standards to be used to obtain certification is key to the program. The DHS reviewed many domestic and international standards in the business continuity management (BCM) and emergency management practice area before proposing three: National Fire Protection Association (NFPA) 1600, British Standard (BS) 25999 and ASIS International's ASIS SPC.1-2009.

In the private sector, PS-Prep is controversial because it raises concerns regarding the legal implications of enterprises publicly stating that they have achieved certification, and because it overlaps with existing industry BCM frameworks. In addition, due to the lack of maturity of most BCM programs, many enterprises are not ready to commit their organizations to the effort required. Nevertheless, some organizations may have no other option, as many large enterprises are choosing supply chain partners based in part on assessments of their preparedness and recovery plans. This raises further concerns regarding whether PS-Prep is indeed voluntary. Though it is too early for Gartner to predict whether the U.S. government will require PS-Prep certification for the private sector through government contract requirements, market pressures may require some organizations to gain certification as a condition of doing business.

Improving recovery capabilities will benefit all businesses and humankind globally. But certification is not a guarantee that an organization can recover from a disaster. Organizations should go slowly when starting down the path toward organization certification.

Enterprises:

• Decide whether organizational certification is appropriate for your organization; reassess your position based on changing supply chain demands.
• Assess your BCM program against NFPA 1600, BS 25999 or ASIS SPC.1-2009.
• Work with your supply chain partners to meet their recovery requirements.
• Use the Gartner BCM Activity Cycle and maturity self-assessment tool to mature your BCM program.

• "Case Study: ETS Shares Best Practices for BS-25999-2 Business Continuity Management Certification"— Educational Testing Service's highly successful use of BS 25999-2 certification to show that its BCM program has achieved an exceptional level of maturity offers valuable lessons for other enterprises. By Roberta Witty
• "Activity Cycle Overview: Business Continuity Manager Role"— Enterprises can use the Gartner BCM Activity Cycle to improve the maturity of their BCM programs, regardless of the programs, standards or frameworks currently in use. By Roberta Witty

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)