Monday, July 27, 2009

Another certification

 

A number of emergency management and disaster recovery lists recently carried a blurb stating "The National Fire Protection Association (NFPA) and the Disaster Recovery Institute International (DRI) have joined forces to create an education and certification program."

I know both organizations.

The blub identifies NFPA as the authority on fire and life safety," and the DRII as "the leading certification and education body in business continuity planning."

I might agree with the NFPA description (but what about the National Fire Academy and the International Association of Emergency Managers, the IAEM?), but I would have to challenge the DRII description. Caveat: My initial certification was from the Harris Institute, great for certification, somewhat lacking in easily available information. (Harris believed that anyone who successfully tested for the certification already knew the field.) My current certification is from The Business Continuity Institute (BCI). The certification is at least as good as DRIIs and unlike DRII, The BCI is not in the business of selling courses. DRII, to its credit, does have the better Web presence and makes that content available to all.

The blub states that the NPFA and the DRII will be offering an "education and certification program that will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations. Certification levels currently include Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA)."

Both seem to me heavy on the business continuity side and very light on the emergency management side.

For some time I have been preaching that business continuity and emergency management practitioners should work together and that there is a great deal of commonality between the two disciplines. But, like business continuity and disaster recovery, "there IS a difference."

My personal bottom line is that a combo certification will be like most compromises; less than satisfactory. Again, given the certifications' description and the fact that the "education and certification program (that) will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations.

"The certification will be granted by DRI International, the largest business continuity certification organization in the world" according to the blurb.

Course materials delve into existing legal and regulatory requirements by industry and country, as well as emerging requirements including: NFPA 1600, Standard for Disaster/Emergency Management and Business Continuity; DRI International' s professional practices, Course materials delve into existing legal and regulatory requirements by industry and country, as well as emerging requirements including: NFPA 1600, Standard for Disaster/Emergency Management and Business Continuity; DRI International's professional practices, financial services, insurance, healthcare, utilities, and public sector guidelines; and many others. In addition, careful attention is given to the processes by which disaster/emergency management and business continuity programs are initiated, with an eye toward corporate governance, policy, and procedures.. In addition, careful attention is given to the processes by which disaster/emergency management and business continuity programs are initiated, with an eye toward corporate governance, policy, and procedures."

Most business continuity practitioners who have been around awhile already have a copy of NFPA 1600 (or a national variation of the document) at hand. Generalists have controlling documents for "financial services, insurance, healthcare, utilities, and public sector; and many others." Most of the guidelines are freely available. (An exception to the rule are British Standards which are, for my budget, a tad pricy.)

While I am very "pro-emergency management," I think if I wanted emergency management certification I would look to an organization such as IAEM.

Like The BCI, the IAEM is comprised of professionals at varying degrees of experience - from the tyro to the very senior practitioner.

 

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

2 comments:

Bill MacKay said...

You raise some valid points. Like you I use NFPA 1600 and I am a member of the Technical Committee which wrote the Canadian standard CSA Z1600 that is based on NFPA 1600, includes some improvements and has more Canadian content in the annex material.

The one point I want to add is with regard to auditing or accrediting a program where we should not overlook the services offered by EMAP www.emaponline.org. EMAP focuses primarily on evaluating US public sector EM & BC programs but their very efficient and effective model can be used to audit to other standards. I have been trained as an EMAP assessor and I am impressed with the program.

Bill www.memci.ca

Proud80633 said...

Let me start by saying I believe in certification. I am a CBCP through DRI and have completed enough education units to be current through 2010. I am also a Certified Organizational Resilience Manager (CORM) through an application process with the International Consortium for Organizational Resilience (ICOR) www.theicor.org. I hold a Certified Business Manager (CBM) from ABPM www.abpm.org as well as a Certified Recovery Planner (CRP) from the University of Richmond, Virginia.


Before I retired from a multi-national design and semi-conductor manufacturer, I was often asked about certification and how to become involved in business continuity. Even though the company did not support direct certification, they did let me take one class.


As part of an industry consortium, the semi-conductor manufacturers created a business continuity ‘requirement’, conducting training for their vendors and qualification criteria. This process continues today through multiple layers of the vendor supply chain. The feeling was that every business is different and there is no real “one size fits all’ when it comes to business continuity, but there are many good reasons to have programs in place.


A person from IT would ask how they could become active in business continuity. They typically held vendor based acknowledged company transferable vendor certifications from Microsoft, Cisco, Novell, etc. Unfortunately, while they are the most knowledgeable folks in IT, they can better serve the organization by adopting continuity of operations and continuity methods.


Similarly, internal auditors saw the business continuity world as a potential growth path. Most of them held industry certifications from ISACA or IIA. These certifications did not transfer to the business continuity space. I found that educating auditors on how to audit business continuity efforts for the operations provided a significant win for their business units.


Members of the business continuity community have long said there should be a certification that is as recognized as a CPA (state based certification) or CISA or CISM through ISACA, etc. Unfortunately, there has not been a good clear path designed for one to move through certification. The most acknowledged business certifications come through nonprofit educational institutions, not through lobbying organizations.


I would like to see international certification for business continuity. Many industries in the United States are not required to have business continuity plans. Yes, you should have a plan, but it is not often required. The application of concepts needs to be consistent, too.


I recently had lunch with a woman that holds the same certifications I do. I was discussing the need for understanding safety stock, lead time offset, bread routes, and finished goods inventory strategies. These are all staples of the manufacturing arena. She explained she had only ever worked in the banking industry and had no idea there were so many things that needed to be considered in other industries. Equal certification does not necessarily mean equal knowledge base or the ability to apply that knowledge.


Having a single standard might be nice, but how practical is it, really? If you have a company with 50 or 100,000 employees worldwide, do you reorganize the company to meet NFPA1600? Do you really need to be ISO compliant, or is it sufficient to demonstrate to your customers that you are ISO like with additional agility?


Certifications, standards and companies are not all created equal. Building a robust business continuity process that is integrated throughout the organization is still the best competitive advantage to my mind.