“Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs”
NFPA 1600 “Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs” is published by the National Fire Protection Association (NFPA). NFPA is an American National Standards Institute Accredited Standards Developer (SDO). It was founded in 1896 and is an independent, non-profit, organization whose mission is to reduce the worldwide burden of fire and other hazards on the quality of life by providing and advocating consensus codes and standards, research, training, and education. NFPA has over 80,000 members in more than 100 nations.
Role in NFPA 1600
Donald L. Schmidt, CEO of Preparedness, LLC is the Past Chair of the NFPA 1600 committee. He joined the committee in 1994; has been involved in every edition of NFPA 1600; and served as chair for the 2010, 2013, and 2016 editions. Mr. Schmidt is the editor of “Implementing NFPA 1600 National Preparedness Standard” published by NFPA.
History of NFPA 1600
Program Self-Assessment Checklist
This 200+ question checklist is based on NFPA 1600 “Standard on Disaster/Emergency Management and Business Continuity Programs” published by the National Fire Protection Association and available online for free download at www.nfpa.org/1600.
Auditing the Preparedness Program
Our Preparedness Bulletin provides guidance on auditing your preparedness program.
1991 Disaster Management Committee Established
The Technical Committee on Emergency Management and Business Continuity was established by the NFPA Standards Council in January 1991. The committee was assigned responsibility for developing documents relating to preparedness for, response to, and recovery from disasters resulting from natural, human-caused, and technological events.
The technical committee includes a maximum of 30 voting, principal members, alternates (nonvoting if the principal member votes), and notnvoting members from the United States, Canada, and abroad. In accordance with the American National Standards Institutes's rules for accredited standards developers, no more than one-third of the members can represent the same interest group. This concept of "balance" is designed to prevent one group from dictating the content of the standard.
Members come from the private sector and public sector (federal, state, and local government). Private sector industry representatives include financial services, insurance, energy, health care, technology, manufacturing, higher education, utilities, and consulting. Current and past members represent or have represented DRI International, U.S. Department of Homeland Security (DHS), National Emergency Management Association (NEMA), NEMA's Emergency Management Accreditation Program (EMAP), and the International Association of Emergency Managers (IAEM).
1995 Recommended Practice for Disaster Management
NFPA 1600 was first published in 1995 and titled “Recommended Practice for Disaster Management.” A “recommended practice” is written with the word “should” as the operative word in elements of the standard. At the time, the committee felt that a new standard should be first introduced as a recommended practice.
Recommended practices are not written for adoption by government or incorporation into regulations. NFPA’s codes and standards use the mandatory word “shall” to prescribe mandatory requirements.
The second edition of NFPA was adopted in 2000 in the form of a “standard.” Nonmandatory language in the document (use of the word “should”) was changed to mandatory language (“shall”) throughout.
This edition also incorporated a “total program approach” for disaster/emergency management and business continuity with common program elements, techniques, and processes.
2004 9/11 Commission Recommendation
In January 2004 following the terrorist attacks of September 11, the 9/11 Commission investigated the preparedness of private sector organizations. The American National Standards Institute was asked to find consensus on a “National Standard for Preparedness” for the private sector. A series of workshops was held in 2004 under the auspices of ANSI’s Homeland Security Standards Panel, and the panel recommended that the Commission endorse a voluntary National Preparedness Standard. The recommended standard was NFPA 1600®. The 9/11 Commission’s recommendation to adopt NFPA 1600 can be found in Chapter 12 of the 9/11 Commission Report.
“We endorse the American National Standards Institute’s recommended standard for private preparedness. We were encouraged by Secretary Tom Ridge's praise of the standard, and urge the Department of Homeland Security to promote its adoption. We also encourage the insurance and credit-rating industries to look closely at a company's compliance with the ANSI standard in assessing its insurability and creditworthiness. We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at a tremendous potential cost in lives, money, and national security.”
The 2004 edition was published in April 2004. The standard continued to evolve, and it was reformatted to comply with NFPA's Manual of Style.
2004 Public Law 108-458
This recommendation has since been restated in two federals laws--Public 108-458 and most recently within Title IX of Public Law 110-53, which calls for voluntary certification of private sector preparedness programs. [click here for details on PL 110-53 and the voluntary program.]
A significant change to the 2007 edition was the expansion from the historical “four phases of emergency management” to include prevention bringing the standard into alignment with the related disciplines and practices of risk management, security, and loss prevention.
For the first time, the logos of the U.S. Department of Homeland Security (DHS), the International Association of Emergency Managers (IAEM), and National Emergency Managers Association (NEMA) were added to the cover recognizing their endorsement of the standard.
2007 Public Law 110-53 “PS-Prep”
The 9/11 Commission’s recommendation for enhanced private sector preparedness (2004) was written into two Federal Laws—Public Law 108 458 in 2004 and Public Law 110-53 in 2007. Title IX of PL 110-53 calls for the voluntarily certification of private sector preparedness programs—now referred to as PS-Prep.™ The U.S. Department of Homeland Security has designated multiple editions of NFPA 1600—most recently the 2016 edition—to be used as the criteria for accreditation of private sector preparedness programs.
Go to the official PS-Prep website for more details.
The 2010 edition of NFPA 1600 was significantly reorganized. Chapter 5 of the 2007 edition was expanded into four chapters, which were reordered to follow a program development process. This ordering also follows the “Plan—Do—Check—Act” program development process that users of ISO standards are accustomed to.
Management commitment to, direction of, and support for the emergency management and business continuity program is critical. This was the impetus for the committee to include a new section 4.1 on “Leadership and Commitment.” Program management was also enhanced with a new section, 4.6, on “Performance Objectives.” Finance and administration is another pillar of an emergency management and business continuity program. The finance section, which used to appear at the end of the 2007 edition has been relocated to the program management chapter and expanded to include crisis management procedures. A new records management section has been included as well to fulfill auditing requirements.
A new section on “Business Impact Analysis” was added to Chapter 5 supplementing the risk assessment section of the 2007 edition. This new section includes a requirement to evaluate the potential for loss of information—technically referred to as the “recovery point objective” or “RPO.”
A new section, 6.6 “Employee Assistance and Support,” was added to address the need to render care for the physical and emotional well-being of employees in the aftermath of an incident.
The committee significantly expanded the requirements for exercises and placed it within its own chapter. These requirement are performance based—to establish and maintain required capabilities. Basic design requirements for exercises were specified.
Program evaluation was moved from the program management section of the 2007 edition and expanded within a new chapter on program improvement. The new chapter included management review of policies, objectives, and program implementation. “Triggers” for program evaluation were specified in addition to the requirement that the program should be evaluated whenever the effectiveness of the program has been called into question.
Annex F, NFPA 1600 2013 Edition as a Management System Standard, was added for use by those who wish to follow a “management system standard” . Language was added to the standard to allow users to adopt Annex F in place of the numbered chapters of the standard.
The 2013 edition continued the reordering of the standard to align with a program development process and the continuous improvement process.
Performance objectives were moved from Chapter 4, Program Management to Chapter 5, Planning. Prevention and mitigation were moved from Planning to Chapter 6, Implementation. Resource management was split into resource needs assessment (Chapter 5, Planning) and resource management (Chapter 6, Implementation).
Content on “communications and warning” and “crisis communications” was totally written into two sections “Warning, Notifications, and Communications” and “Crisis Communications and Public Information.”
Requirements for business continuity and recovery were revised throughout the document, and new requirements for employee assistance and support were added.
Chapter 7, Training and Education was added to expand and clarify those requirements. In Chapter 9, the committee added program maintenance requirements. Annex A was reorganized, and new annexes were added.
NFPA 1600 is used extensively in the private and public sectors. Recognizing the public sector terminology of "continuity of operations planning, often referred to as “COOP,” the committee voted to expand the title to include the words “Continuity of Operations.”
The purpose of the standard was also changed to emphasize that the standard provides fundamental criteria for preparedness, and that the program shall address prevention, mitigation, response, continuity, and recovery. In other words, "preparedness" is no longer an element of the program—it is the program.
The committee clarified crisis management planning emphasizing that entities prepare to address issues, an event, or series of events, that severely impacts or has the potential to severely impact an entity's operations, reputation, market share, ability to do business, or relationships with key stakeholders.
Business continuity was again a focus of the 2016 edition and supply chain risk and information security were addressed in multiple places. Supply chain vulnerability assessment was added to the section on risk assessment. Assessment of the impacts that could result from the loss of “information” was added to the requirements for the impact analysis. Planning for the security of information was added to the continuity planning section. The business impact analysis section in Chapter 5 was largely rewritten along with revised sections on continuity planning and recovery planning to provide more depth and differentiate “continuity” from “recovery.”
A significant change to the risk assessment requirements in Chapter 5, Planning was the relocation of the detailed list of natural, human-caused, and technological hazards from Annex A to the requirements for risk assessment. The committee felt that the risk assessment is so important to the foundation of the program, that users should evaluate—to the extent necessary—all of the hazards on the list during the risk assessment process.
Annex C, Small Business Preparedness Guide was included to address a longstanding need for small business planning. A definition for persons with access and functional needs was added, and it supports new Annex J, Access and Functional Needs. Minor changes address the role of social media within crisis communications plans and capabilities.