Several weeks ago (I forgot to post it!) the National Fire Protection Association (NFPA) released the 2016 update of their 1600 standard, and with a slightly different name: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs. More on the name change in a bit.
For those not familiar with NFPA 1600, if you are in the emergency management field, you should be familiar with it. While not legally binding (unless specifically referenced by a law or regulation), NFPA 1600 is an excellent standard for modeling an emergency management program. Like any good standard, it provides guidance on what components you should have, but doesn’t tell you how to do it. NFPA 1600 is also very complimentary to the Emergency Management Accreditation Program (EMAP), with no conflicts between these standards – mostly because EMAP foundationally references much of NFPA 1600. NFPA 1600 can be found here. The NFPA provides a free download of the standard (it is heavily copyrighted, so exercise prudence in how you handle it) or you can pay to obtain paper copies.
On to the changes in this update. As mentioned, the title has been altered a bit by adding ‘Continuity of Operations’. While it doesn’t say so, I’m guessing that some government-types may have approached NFPA 1600 a bit skeptically thinking that it was really intended for the private sector. The thing is, business continuity is a specific function within emergency management, but largely follows many of the same processes, just with a particular focus.
Within the standard, the early section titled ‘The Origin and Development of NFPA 1600’ summarizes the evolution of the standard, and provides some information on the changes to the 2016 update. They mention that “The purpose of the standard has been changed to reflect the Committee’s decision to emphasize that the standard provides fundamental criteria for preparedness and that the program addresses prevention, mitigation, response, continuity, and recovery. In other words, “preparedness” is no longer just an element of the program – it is the program.” That perspective on preparedness is a great continued evolution of the concept within emergency management. While the standard in emergency management used to be the emergency management cycle with preparedness as one phase, that is thankfully beginning to go away (although it’s still seen out there way too much for my taste).
The truth is preparedness permeates everything we do – all phases (or mission areas) of emergency management. That’s why there are five mission areas identified in the National Preparedness Goal (Protection, Prevention, Response, Mitigation, and Recovery). Where is preparedness? It’s the root of the document (literally… it’s in the name of the document). Preparedness is addressed for each mission area. We must prepare to protect, prepare to prevent, prepare to respond, prepare to mitigate, and prepare to recover.
As usual, I digress…
Back to NFPA 1600. This 2016 update includes language within “crisis management planning to include issues that threaten the reputation of and the strategic and intangible elements of the entity as a result of an event or series of events…”. Smart move. These elements of crisis management are something we see in both the public and private sector and certainly should be addressed.
Since business continuity does remain a focus element of the standard, they have continued to enhance those aspects. As such, they have included information on supply chain risk and information security within the document. When considering business continuity, we can’t just look at our own operations. The vulnerabilities of other organizations can certainly impact us, so examining supply chain vulnerabilities is wise. As for information security, we have seen plenty of internal and external cybersecurity issues to justify that. Although a bit late, I’m glad the NFPA is keeping up with technology and current trends and hazards. They have also rewritten much of the business impact analysis section (within Chapter 5) to address continuity planning and recovery planning, with a specific differentiation between the two.
Lastly, they have added Annex C, a small business preparedness guide (good move NFPA!), and have added material on addressing the needs of persons with access and functional needs, as well as adding some information on the role of social media in crisis communications plans.
These are all positive changes for the NFPA 1600 standard. I encourage everyone who is part of an emergency management program to take a look at it and see what it has to offer. It’s good guidance and will probably provide some good ideas for helping you grow and maintain an impactful program.
For those interested, I have a couple of past articles on standards in emergency management:
© 2016 – Timothy Riecker
Emergency Preparedness Solutions, LLC – We are your Partner in Preparedness!