Urgent Call for Action by DRI

On July 30, 2008, the American Society for Industrial Security (ASIS), announced their intention to develop a standard for Business Continuity.  ASIS has filed two notices with the American National Standards Institute, ANSI, called "PINS Forms: Standards Action Public Review Requests." One of these is "BSR/ASIS BCM.01-200x, Business Continuity Management: Preparedness, Crisis Management, and Disaster Recovery" an area that clearly falls under the expertise of our profession and our (Business Continuity's) leading professional association, DRI International. 

 

On August 12, 2008, DRI International issued the following call for Urgent Action by BCP Professionals.

 

On August 13, 2008, David Shimberg, as Chairman of and primary spokesperson for, the Contingency Planning Association of the Carolinas, Inc, your professional association, spoke at length with John B. Copenhaver, President and CEO of DRI International, and a strong supporter of CPAC, about DRI's call for Urgent Action. 

 

On August 14, 2008, Shimberg took the unilateral step of writing a strongly worded response to the ASIS,  BSR/ASIS BCM.01-200x PINS request, in collaboration with John Copenhaver.  This letter was sent to Susan Carioti at scarioti@asisonline.org with cc to John Copenhaver of DRI and Matthew Dean of ANSI.  My letter, clearly stated, among other things, that the business continuity profession is represented by DRI International, and  I find it inconceivable that ASIS feels it has a place, or right, to independently develop standards for my profession. 

 

On August 15, I received ANSI's response to my letter,  which John Copenhaver characterized as, "Besides mischaracterizing our statement, insulting our industry, claiming that the PINS filing was simply "a call to the business continuity community and other interested and affected parties to participate in the creation of the standard" (as if it asked us to participate in the 2005 "Business Continuity Guidelines", etc.), and dissing NFPA 1600, this is a well-reasoned response..."

 

Whether you agree with David Shimberg's letter, or DRI's position or not, you are urged to advise ASIS, ANSI, DRI, and your CPAC leadership of your position on this matter, through the contacts listed in DRI's Call for Action.

David A. Shimberg, CBCP
Board Chairman
Contingency Planning Association of the Carolinas, Inc.
w) 704-733-5289
www.cpaccarolinas.org

 

DRI International

 
   

Urgent Action Required

  
 

IMMEDIATE ACTION IS REQUIRED

Your assistance is urgently needed to preserve the integrity of BCP standards.

 

Washington, DC - August 12, 2008 -  Last October, Disaster Recovery Institute International (DRI) issued a position statement regarding the establishment of a standard for Business Continuity Planning.  This was in response to the American Society for Industrial Security (ASIS) attempting push through an unproved and ill-considered standard with the American National Standards Institute (ANSI).  We believed that our statement had settled the matter.
 
However, ASIS has filed two notices with the ANSI called "PINS Forms: Standards Action Public Review Requests." One of these is "BSR/ASIS BCM.01-200x, Business Continuity Management: Preparedness, Crisis Management, and Disaster Recovery". This proposed standard is being drafted "to include auditable criteria for preparedness, crisis management, business/operational continuity and disaster management using a process approach with the Plan-Do-Check-Act model, as required by Title IX of H.R. 1 and Public Law 110-53 'Implementing Recommendations of the 9/11 Commission Act of 2007'".
 
DRI International strongly opposes this filing.  We are asking our colleagues and certified professionals in the field to oppose this effort to create a "Business Continuity Management" standard in an industry already beset with multiple and often confusing standards.  The comment period for this "PINS" phase of "BSR/ASIS BCM.01-200x" closes on August 30, 2008.
 
Please send a clear message to ANSI through its designated point of contact, Susan Carioti at scarioti@asisonline.org. We are making every attempt to coordinate this effort and track the comments, which we believe will help in making presentations to ANSI and other appropriate agencies.  When you send your e-mail to Ms. Carioti, please send a bcc to standards@drii.org.  Your efforts are greatly appreciated.

 

Suggested Comments for Response
 
Doesn't a standard for Business Continuity practices already exist?
Yes.  NFPA 1600 - Standard on Disaster/Emergency Management and Business Continuity Programs has been the US and Canadian standard for Business Continuity since 1995.  NFPA 1600, DRI International Professional Practices and BCI's Certification Standards for Professional Practitioners form the basis for the certifications held by the majority of the world's certified Business Continuity professionals.
 
Is NFPA 1600 recognized outside the Business Continuity community?
Yes.  It is the standard endorsed by the U.S. Department of Homeland Security and the Federal Emergency Management Agency and certified as an ANSI Standard.
 
Was ASIS given an opportunity to have their opinion heard?
Yes.  But, ASIS had an opportunity to provide input to NFPA 1600, as a member of NFPA's Technical Committee, but ASIS declined.
 
Were BC Professionals involved in creating this standard?
No.  ASIS created a "standard" that serves the needs of the security profession without the benefit of comment from DRI International, BCI, RIMS, NFPA and other recognized subject matter experts.  ASIS has never approached the business continuity industry itself to participate in the creation of its draft standard.
 
What's wrong with independent standards?
Briefly, the continuing creation of independent standards in these areas does little more than generate confusion in fields that are already beset with multiple standards and definitions. Such efforts serve only to increase the "noise" in an industry that is already far too difficult for even experienced practitioners to explain to those who look to us to help them manage the complex array of risks that we all face in today's environment.
 
If a standard needs to be created, how should it be done?
True "standards" come about as the result of communication and collaboration involving experts in the subject matter area to which the particular standard is to apply.  This is the only way to ensure that the standards that are created represent a consensus that will be of benefit to both the subject matter professionals and the respective communities that they serve.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

From: Shimberg, David [mailto:David_Shimberg@PremierInc.com]
Sent: Thursday, August 14, 2008 3:12 PM
To: scarioti@asisonline.org
Cc: jcopenhaver@drii.org; mdeane@ansi.org
Subject: BSR/ASIS BCM.01-200x

 

Dear Ms. Carioti:

On behalf of the Board of Directors of the Contingency Planning Association of the Carolinas, Inc, CPAC, and our over 400 members, I strongly object to the proposed request and action by American National Standards Institute (ANSI) to create yet another standard on Business Continuity. 

DRII, the organization representing the majority of Business Continuity and Disaster Recovery professionals in the United States (and much of the world), has made it clear that our profession currently suffers from a confusing array of standards.  CPAC supports this view. DRII has worked hard to maintain, develop, and clarify standards in a collaborative manner; it has not only supported NFPA 1600 (the existing ANSI standard dealing with business continuity), but has recently reached out to ASIS to work with DRII, RIMS and NFPA on the “Framework for Preparedness” initiative sanctioned through the Sloan Foundation for the new federal legislation on voluntary private sector preparedness certification.

As a member of the DRJ Editorial Advisory Board's Rules & Regulations Committee, I helped compile a list (http://www.drj.com/index.php?option=com_content&task=view&id=713&Itemid=424) of over 100 rules and regulations (US and International) that affect us as professional planners.

As you should be well aware, professional and industry collaboration is the key to creating and maintaining valid, measurable standards.  To our knowledge, ASIS has failed to work with or even approach the key players in my profession in the efforts it has undertaken thus far to create “standards” for that very profession.  Given this lack of collaboration, on behalf of CPAC I strongly urge ASIS to drop this project with ANSI, and, if there are issues or concerns, to work directly with the principals in Business Continuity Profession.

I find it inconceivable that ASIS feels it has a place, or right, to independently develop standards for my profession.  I am certain your members would be equally offended if business continuity professionals took it upon ourselves to independently draft security standards for the security professionals we work with so closely.

David Shimberg, CBCP

Board Chairman

Contingency Planning Association of the Carolinas, Inc.

w) 704-733-5289

c) 704-906-1158

www.cpaccarolinas.org