Study Examines State of Business Preparedness

The majority of U.S. companies have a formal, written plan for emergency preparedness, according to a report released today by The Conference Board. But a widely adopted certification standard for such plans does not exist yet.

Three-quarters of the 302 senior corporate executives surveyed in mid-2007 said that an emergency preparedness plan exists in their companies. The analysis was sponsored by the U.S. Department of Homeland Security as part of an ongoing research project to assess the effectiveness of security in American companies.

The survey sample was intended to reflect the characteristics of American businesses as defined by size and industry. The sample was divided into three strata: small business (companies with $5 million to $50 million in annual sales); mid-market ($50 million to $1 billion in sales); and enterprise ($1 billion or more in sales). Within these groups of companies, the survey polled executives with responsibility for security, business continuity, crisis management, and emergency response efforts.

A "voluntary" certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review. As this report goes to press, it is expected that several different standards may qualify for certification.

"Currently, the most significant finding is that none of the many standards proposed for certification has attained widespread usage in the private sector," said Thomas Cavanagh, Senior Research Associate, Global Corporate Citizenship, The Conference Board.

The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23 percent of the surveyed companies. Following close behind, used by 20 percent of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12 percent of companies.

The larger companies are much more likely to have implemented the most widely known standards. At the enterprise level, 30 percent have adopted the ISO information security standard, compared with 24 percent of mid-markets and 15 percent of small businesses. Despite its high visibility as the National Preparedness Standard, NFPA 1600 has been implemented by 29 percent of large companies and less than 18 percent of those below the enterprise level. NIMS (the National Incident Management System) has been adopted by 19 percent of enterprise-level firms, compared to 10 percent of mid-markets and only 4 percent of small companies. The discrepancy is most dramatic with regard to C-TPAT, which has been implemented by one-quarter of large businesses but only single-digit percentages of companies with less than $1 billion revenue.

As with the other procedures examined, the size of the company has a major impact on the level of preparedness. Roughly three-quarters of companies at the enterprise level conduct regular risk audits, mitigation, and activation of their backup facilities, and two-thirds undertake regular tabletop exercises. Annual risk audits are conducted by 69 percent of mid-market companies, and 53 percent of mid-markets report that they conduct regular mitigation activities and backup site activation. However, only 31 percent conduct tabletop exercises at least once a year. Fewer than half of small businesses report that they conduct any of these activities on an annual basis.

Different industries have different approaches to the pursuit of preparedness. The clearest example is the IEEE SCADA standard, which is used by many firms in the energy industry (38 percent) but is rarely encountered in other sectors of the economy. NIMS is the most widely utilized in the energy and healthcare industries (38 percent and 29 percent respectively). The financial services industry leads the way in the implementation of NFPA 1600 (36 percent) and the ISO IT standard (33 percent).

Ownership structure also is strongly related to these aspects of preparedness. Among publicly traded companies, at least 70 percent report that they conduct risk audits, mitigation, and backup site activation at least once a year, and 59 percent undertake annual tabletop exercises. The proportion conducting annual risk audits falls to 58 percent for privately held companies and 47 percent for family-owned companies.

Fifty-two percent of private firms and 37 percent of family-owned companies conduct annual backup activation, and regular mitigation is undertaken by 43 percent of private companies and 40 percent of family firms. Regular tabletop exercises are conducted by only one-third of private companies and one-tenth of family-owned businesses.

The financial services sector is at or near the top of the list of industries on virtually every one of these procedures, with especially impressive showings for backup facility activation (72 percent) and tabletop exercises (64 percent). Service industries are most likely to schedule "work from home" days, a procedure most commonly followed in healthcare (39 percent), business and professional services (36 percent), and other services (32 percent).

The most common item in emergency preparedness plans is crisis communications, which is included in 91 percent of the plans. Almost as common is inclusion of evacuation procedures, present in 89 percent of plans. Other common items are securing access to facilities in 77 percent of plans, locating employees in 75 percent, first aid in 65 percent, liaison with first responders in 64 percent, legal representation in 42 percent, and coping with stress and trauma in 39 percent.

Compared with smaller companies, firms at the enterprise level are far more likely to have implemented written plans that contain these specific items. The differences are most striking with regard to organizational procedures that go beyond the immediate needs of first responders and involve dealing with stakeholders in the outside world. Eighty-eight percent of large companies have a written plan for crisis communication, compared to 63 percent of mid-markets and 48 percent of small businesses; and 52 percent of enterprises have a written plan for legal representation in the event of an emergency, as opposed to 24 percent of mid-market firms and 17 percent of small companies.

Among the companies with emergency preparedness plans, 58 percent have had the plan approved by their board. Therefore, 43 percent of companies overall have written emergency preparedness plans that have been approved by the board.

Among large companies, 92 percent of companies have a written plan, compared with 72 percent of mid-markets and 58 percent of small businesses. But only one-third of large companies have plans that have been formally approved by their board, compared to 49 percent of mid-markets and 44 percent of small firms.

Industrial Hygiene Product Showcase

  • Moldex Airwave Disposable Respirators

    Moldex Airwave Disposable Respirators

    Say hello to the N95 mask that is so comfortable and easy breathing, it can positively impact worker productivity and happiness on the job. The AirWave’s proprietary pleated design makes breathing easier and comes in multiple sizes with an adjustable strap for a customizable fit. Airwaves also have an ultra-tough Dura-Mesh® shell that resists collapse even in the hottest and most humid conditions. They have a metal-free molded nose bridge that seals easily without a metal noseband for added protection and comfort. It’s official: AirWave is a difference you can feel. 3

  • Ventis® Pro5

    Ventis® Pro5

    The Ventis Pro5 is the most flexible connected gas monitor on the market, giving you the power to protect workers from up to five gases, manage worker safety from remote locations, and simplify team communication to take the guesswork out of gas detection. It automatically shares real-time gas readings, man-down, and panic alarms between peers – meaning the entire team knows who is in danger and why. By sharing real-time data, workers can also maintain continuous communication without the need for additional infrastructure or devices. Visit us at AIHce booth #927 to learn more! 3

  • BAND V2 Wearable Heat Monitor/Alert

    BAND V2 Wearable Heat Monitor/Alert

    Need help with your heat program to meet the OSHA Heat-related Hazards NEP? The SlateSafety BAND V2 arm-worn monitor provides 24/7 connected real-time monitoring of heart rate, exertion levels, and core temperature. BAND V2 alerts workers and OH&S professionals before heat exposure injuries occur. Tough to withstand harsh environments, yet comfortable for workers and easy to use for you, BAND V2 can optimize work/rest cycles, promoting safety and productivity. Its powerful web-based platform and the new Go Mobile App helps you connect and protect workers from heat stress in real-time. Visit SKC at AIHce Booth 601 for a demo! 3