1

Examining “the Business Case” for the

New Voluntary Private Sector Preparedness Certification Program

2

About InterCEP

• We are a catalyst focused on Private Sector Preparedness & Corporate Resilience

• The Alfred P. Sloan Foundation Funds InterCEP Research on Incentives for Business Preparedness – insurance, rating agency, mitigating legal liability,

supply chain, corporate governance

• Research Focus on the Linkage of

“What” & “Why” of Corporate Resilience

3

Our Panelists• Al Martinez-Fonts - Assistant Secretary, DHS• Robert Dix, Jr. - V.P., Govt. Affairs, CIP,

Juniper Networks• Bob Connors - Director, Preparedness, Raytheon• Pete Jespersen - Director, Bus. Cont. Mgmt.,

Merrill Lynch• Charles Wallen - Managing Executive, Bus Cont.

Committee, FSTC• Raymond B. Biagini - Partner, McKenna Long &

Aldridge LLP

4

Overview• Introduction

• Supply Chain Management

• Legal

• Rating Agencies

• Business Reporting

• Insurance

• Reputation & Other Considerations

Absent a “Why” the “What” will not get done

5

Certification

Standard(criteria)

Assessment Process(audit)

Certification

The Private Sector must be directly involved in the design

and implementation of the program.

Must assure basic business value!

7

Current Research • What to Do: There are consensus-based standards that

indicate “what” good preparedness is.

• Why to Do It:– Internal Incentives: There are a diversity of internal corporate

benefits to preparedness although these need to be better clarified & communicated

– External Incentives: Major stakeholders who may offer external incentives to acknowledge preparedness:

• Supply Chain Management• Rating Agencies• Legal• Insurance

8

Combining Multiple BenefitsMinimizing Impact of Business Disruptions

Insurance Benefits

Rating Agency Acknowledgement

Mitigating Legal Liability Post-Event

Supply Chain Resiliency

Process Efficiencies, Agility

Reputational, Corporate Governance and other Benefits

9

Current ResearchA disconnect for incentives:

• Major incentive stakeholders may be willing to

acknowledge preparedness • But they lack an appropriate indicator/assessment• And are not necessarily interested in assessing

preparedness themselves• Critically – there is no historical data on benefits

Chain

What to Do(Preparedness

Standards)

Why to Do It(Incentives &

Benefits)No CommonIndicator if

Prepared

< No Strong Connection >

10

Linking “What & Why”

The New Program may serve as a link:• It may assist in making a more effective connection

between good practice (What to Do) & benefits from both internal and external sources (Why to Do It).

What to Do(Preparedness

Standards)

Why to Do It(Incentives &

Benefits)Assessment & Certification

11

Key Considerations for Business Value

• Business Involvement in Program Design & Implementation (Management and Practitioners)

• Incentive Stakeholder Involvement

12

InterCEP’s Activities• Hosting Working Groups

– Supply Chain Management– Legal Liability Mitigation– Insurance Acknowledgement– Rating Agency Acknowledgement

• Developing a temporary online clearinghouse of information relevant to the voluntary business preparedness accreditation and certification program until appropriate body steps up.

• Participating in conferences & other forums.

13

If can’t measure it, you can’t manage it…

…and you can’t understand its impacts and

reward it!

14

Supply Chain Management

• Increasing need for supply chain resilience due to globalization, interdependencies, etc.

• Diversity of current efforts• Challenge of customers – attempting to build your

own program, engage and assess multiple suppliers

• Challenge of suppliers – diversity of customer assessment approaches, multiple audits

• Opportunity for mentoring

15

Legal Incentives

• Tort Negligence

• Port Authority ‘93 Bombing Case

• Affirmative Defense – advance conformity with a consensus-based industry standard

16

Rating Agency Acknowledgement

• Enterprise Risk Management (ERM) will be added as an element of all corporate ratings by S&P.

• Emergency management & business continuity are important elements of effective ERM in addressing operational risk

17

Rating Agency Acknowledgement

• “The extent to which companies are adopting standards, especially voluntary standards, would bolster the view that management has a proactive culture and attitude towards risk.  However it’s too early in our process to know what weight we’d place on that evidence.”

18

Business Reporting

• Diversity of reporting requirements currently in some vertical industries, little in others

• Need to assure that program is a rationalizing force not a complication

• Need to support first, second and third party verification

19

Insurance

• Diversity of companies, product lines, etc.

• Unwillingness to define preparedness and measure it

• Lack of historical data correlating preparedness with outcomes

• Likely incremental with focus on key areas such as business disruption insurance initially

20

Reputational & Other?

• Reputation – differentiator?• Process efficiencies• Corporate agility• May facilitate exchange of best practices• More consistent benchmarking• May forward corporate governance goals• What else?

– ARC example

21

If we can be of help . . .Bill Raisch

DirectorInterCEP- New York University

212-998-2000 william.raisch@nyu.edu

www.nyu.edu/intercep

22

Generic Template for Accreditation/Certification Scheme

23

What is a Preparedness Certification?

• Uses an accepted assessment process to acknowledge that the current state of organization’s emergency preparedness meets an identified standard(s).

• Assessment may be conducted by – The organization itself (first party)– A related organization (second party)– A qualified and independent third party

24

Typical Certification Steps

1. Internal review of current state of emergency preparedness (gap analysis) against selected standard

2. Supplement and/or improve existing preparedness processes, plans & activities to meet intent of desired standard(s)

3. Decide on first, second or third party verification if appropriate contract with accredited certification body

4. On-going surveillance and continual improvement processes

25

Key Players

• Accreditation bodies assess the competence of and accredit (i.e., approve) certification bodies against a set of accreditation requirements to carry out certain certification activities

• Accredited certification bodies assess the conformity of and certify an organization to certain standards or specifications

• The organization seeking certification