Editor: John, as former counsel to the 9/11 Commission, you are uniquely positioned to point to some of the glaring deficiencies in the national security structure, both public and private. One of the good outcomes of the Commission was the endorsement by the Department of Homeland Security ("DHS") and American National Standards Institute ("ANSI") of a set of emergency preparedness standards for the private sector. Please tell our readers a bit about the standards and how they came to be endorsed by DHS and ANSI.
Azzarello: As the 9/11 Commission examined the emergency response to the September 11 attacks, many witnesses told the Commission staff that despite security improvements, the private sector remained largely unprepared for another terrorist attack. The same witnesses also told us that the absence of a widely embraced private-sector preparedness standard was a significant contributing factor to this lack of preparedness.
The Commission responded by asking ANSI to develop a consensus on a national preparedness standard for the private sector. In response to the Commission's request, ANSI convened several hundred safety, security, and business continuity experts from a broad range of industries and associations, as well as from federal, state and local government to consider the need for standards for private sector emergency preparedness and business continuity. The result of these sessions was ANSI's recommendation that the 9/11 Commission endorse a voluntary National Preparedness Standard ("Standard") based on the existing American National Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600), which establishes a common set of criteria and terminology for preparedness, disaster management, emergency management and business continuity programs.
With the emphasis in the Commission's final report on the need to reorganize the government, particularly the need to restructure the nation's intelligence community, I think the importance of the private sector preparedness standard was lost in the shuffle. With the government reorganization issues being addressed, it is important to turn our attention to the Standard and how the private sector can use it to mitigate risk and potential damage in the event of a natural disaster or man-made crisis, including a terrorist attack.
Editor: What spurred DHS to endorse the NFPA 1600 as the benchmark for private preparedness?
Azzarello: The 9/11 Commission was encouraged by testimony from former DHS Secretary Tom Ridge supporting NFPA 1600 standards, and ANSI's efforts to vet the Standard with over 2,000 organizational members prior to recommending it. In its final report issued on July 22, 2004, the Commission not only endorsed the Standard but also urged the DHS to promote the widest adoption of NFPA 1600 in the private sector. In this regard, the Commission noted the DHS's security mandate did not end with government but included a responsibility to ensure preparedness in the private sector, which controls 85 percent of the critical infrastructure in the United States.
I think DHS saw this Standard as a good starting point from which industries could collaborate to either assess their current best practices or develop new ones that could be specific to their industry. Further, inasmuch as this same Standard has already been in use in the government, it makes sense to establish a single standard for both the public and private sectors so they can speak the same language in the event of an emergency.
Editor: And this includes preparedness for terrorist acts as well as natural disasters?
Azzarello: That is correct. The Standard is designed to address a wide array of natural and man-made disasters, including floods, tornadoes, hurricanes, power outages, workplace violence and disasters from a biological, chemical, nuclear or radiological attack.
Editor: What does the Standard recommend for private industry preparedness?
Azzarello: The Standard sets forth key program elements focusing on (1) preparedness activities to be undertaken before a crisis, (2) mitigation strategies to eliminate hazards or minimize their impact, (3) planning for the response to a crisis, (4) strategies to support recovery from a crisis and (5) an integrated business continuity plan to ensure that key functions will continue during the response and recovery stages.
Editor: Who within the corporation is normally in charge of coordinating or developing the program?
Azzarello: The responsibility for developing and implementing a company's emergency preparedness plan varies from industry to industry and company to company. The development of a proper plan requires involvement from all material elements of a particular organization - from management to operations to information technology personnel. But it is important to have a single individual or body who serves as the "coordinator" of the program on an ongoing basis. You may want to consult outside experts in developing and implementing part of your plan. It may also be prudent to consult with experts familiar with the standard to ensure that your organization is in compliance.
Editor: What are the Standard's strengths and weaknesses?
Azzarello: I believe both the strength and the weakness of the Standard lies in its generality. If you are looking for a detailed "how to" guide, you will not find the answers in this Standard. But the Standard does provide a general framework which outlines the key elements you should, and in some cases must, consider in order to have effective and meaningful emergency/disaster management and business continuity plans. Many have said the standard is "a mile wide and an inch deep" but that is by design.
Editor: What incentives exist or should be adopted - particularly in the insurance and credit rating industries - to induce private business to adopt the Standard?
Azzarello: The 9/11 Commission recommended that private companies voluntarily follow the Standard. The commission also encouraged insurance companies and credit rating agencies to look closely at compliance with the Standard when assessing a company's insurability and creditworthiness.
The actual impact on insurance rates and credit analysis of companies remains to be seen and should be monitored closely by the private sector. Some major insurance companies, security firms and others have been participating in a series of ongoing roundtable discussions coordinated by the International Center for Enterprise Preparedness ("INTERCEP"), located at New York University and funded by DHS. INTERCEP's founder and director, Bill Raisch, was the private sector preparedness adviser to the 9/11 Commission. He recently informed me that the ongoing roundtable discussions were specifically targeted towards the development of a strong nexus between voluntary compliance with the NFPA 1600 and insurance and credit rating benefits. While he has a positive outlook on these discussions, he noted that the process was of necessity complex given the diversity of stakeholders.
I also think we as a society need to think creatively to develop additional incentives for voluntary compliance. The continued strength and viability of our private industry is vital to both the economic well-being of our country and the security of our homeland. We cannot afford to have 85 percent of our critical infrastructure unprepared for another terrorist attack or disaster of any kind.
Editor: What is the minimum a company should do if it does not adopt the Standard?
Azzarello: I truly believe no company should ignore the Standard. It is sufficiently general so that a business of any size, from the corner drug store to a large chemical plant, could develop a plan to comply with it. In fact, failure to voluntarily adopt a plan that complies with the Standard may very well expose a company to liability. In this regard, the Commission's final report states "[w]e believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes." The report further states "[p]rivate sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world."
With that in mind, INTERCEP is also actively bringing together key stakeholders, including representatives of the corporate counsel community, to develop a "safeguard strategy" which will minimize an organization's exposure to civil liability from tort litigation after a crisis. Compliance with NFPA 1600 is seen as informing the concept of observing a "standard of care" in protecting employees and the general public.
Editor: Which industries are most vulnerable and need most urgently to develop these plans?
Azzarello: Since the Standard governs not only preparedness for terrorist attacks, but hazards of all kinds, including floods, hurricanes and tornadoes, I think all industries are vulnerable in one way or another no matter where their business is located. Having said that, I believe chemical, gas and nuclear energy plants, major financial services companies, and the transportation industry are among the most vulnerable. Even if you are not in a high risk industry, you may be the target of terrorist activity because your company is located in a building with government offices or one that is considered to be an important U.S. landmark.
Editor: What is the state of the Standard today in terms of number of businesses having adopted it? What can we expect on the horizon?
Azzarello: I believe the acknowledgement of the existence of the Standard and efforts to comply with it continue to grow within the private sector. However, we still have a long way to go before we can say that most, if not all, components of our nation's private sector are well prepared to avoid or mitigate damages from another terrorist attack or major disaster of another type. In this regard, INTERCEP, the first major academic center dedicated to private sector emergency management and business continuity, is working to educate private industry on this important Standard and other best practices and guidelines. If your company has not done so already, go to www.nfpa.org and download the NFPA 1600 Standard. Then take it to the next level and determine what needs to be done to protect your business. Going forward, INTERCEP is continuing to promote conversations among key private sector stakeholders to further both incentives in this arena and best practices appropriate to each industry. To follow these efforts or to participate, they have a website at www.nyu.edu/intercep.
Published June 1, 2005.
