National Preparedness Requirements: Harnessing Management System Standards

Sharon Caudle

ABSTRACT: This article argues for a fundamental change in national preparedness guidelines and their requirements from centralized to decentralized governance using management system standards. The federal government’s national preparedness requirements encompassed in the Department of Homeland Security’s (DHS) National Preparedness Guidelines should be replaced by the application of national or international preparedness management system standards. In addition to calls for preparedness standards, the widespread and growing use of standards is consistent with a number of significant homeland security management developments. These include the general stabilization and institutionalization of the federal homeland security mission and goals, the availability and use of robust preparedness management system standards, challenges in assessing preparedness capabilities, and considerations of federalism and intergovernmental relations cooperation. If the Guidelines are replaced by management system standards, then two other issues must be resolved: whether the standards should be mandated and certification or accreditation processes applied.

SUGGESTED CITATION:
Caudle, Sharon. “National Preparedness Requirements: Harnessing Management System Standards.” Homeland Security Affairs 7, Article 14 (June 2011). https://www.hsaj.org/articles/44

Introduction

It may well be time for a fundamental change in national preparedness guidelines and their requirements, moving from centralized to decentralized governance via management system standards. Over the past decade, the federal government’s national preparedness activism has had its roots in Homeland Security Presidential Directive 8 (HSPD 8). Issued in 2003, HSPD 8 requires a national preparedness goal with readiness priorities and targets that are measurable.1 Public Law 109-295 codified HSPD 8, requiring the president to complete, revise, and update a national preparedness goal to define the target level of preparedness.2 The law also established the national preparedness system, which was to include (1) target capabilities and preparedness priorities, (2) equipment and training standards, (3) training and exercises, (4) a comprehensive assessment system, (5) a remedial action management program, (6) a federal response capability inventory, (7) reporting requirements, and (8) federal preparedness. National planning scenarios are part of the system.3 The goal and system components are encompassed in the Department of Homeland Security’s (DHS) National Preparedness Guidelines, last issued in 2007.4

While a new design might accept the fundamental goals of HSPD 8, the aim is a shift from compliance rooted in the Guidelines components to the application of national or international management system standards for preparedness. The fundamental reason is that management system standards embrace what an organization itself must do to manage its processes or activities. As illustrated later in this article, management system standards foster flexibility, adaptability, and more localized decision-making as they rarely state specific “down in the weeds” performance criteria to judge performance. Instead, they set a condition the individual organization is to meet through its own specific performance criteria and management system.5 For example, a standard element might simply state, “communication and warning systems shall be reliable, redundant, and interoperable.” An organization then must ensure implementation to meet this element. Such a move is in contrast to what is basically a “one size fits all” approach that challenges preparedness accountability and federal oversight capabilities. Significantly, management system standards will provide real and usable benchmarks for organizational accountability based on national and international consensus understandings. And because management system standards are nationally and internationally developed, used, and revised, they can facilitate a whole-of-government (if not a whole-of-all-sectors) approach through stability and standardization common to individual organizations. Another benefit to a change to management system standards is that the federal government would no longer need to maintain the Guidelines and its voluminous supporting documents. State and local governments would not need to contend with changes in requirements and oversight as federal administrations come and go.

The Basics: Management System Standards

Standards generally are a uniform set of measures, agreements, conditions, or specifications that establish benchmarks for performance.6 Management system standards address planning, implementation and operation, evaluation and the like. Drawing on information from the American National Standards Institute (ANSI), ISO, and the United States Standards Strategy, Table 1 summarizes the primary elements of the management system standards process and principles.7

Table 1. Management System Standards Elements

Element Management System Standards
Objective
  • Coverage of what the organization does to manage its processes or activities producing products and services satisfying customers, complying with regulations, or meeting environmental objectives
  • Performance-based in specifying essential characteristics but not detailed designs as to how they should be met in any particular organization
  • Integration with other management system requirements in a “whole-of-management” approach
Organizational Application
  • Organizations of all sizes, in all sectors, all cultures, and all products and services
  • Voluntary adoption but may be part of national regulatory frameworks or legislation, or a market requirement
Developer
  • Accredited standards developers through technical committees of experts representing materially affected and interested parties
Development Process
  • Strict rules for development with committee consensus on a proposed standard
  • Broad-based public review and comments on draft standards with consideration of and response to comments; incorporation into a draft standard with right to appeal
  • Reviewed at least every five years after publication by technical experts
  • Avoidance of overlapping or conflicting standards
Audit and Certification
  • Organization must audit its management system to verify processes are being managed effectively
  • Organization may have external audits, such as from clients
  • Independent system certification body can certify; certification is not a requirement

Well-known management system standards are set forth in the International Organisation for Standardization (ISO) 9000 (the international standard for quality management) and ISO 14000 (environmental management). Formal committees employing a very strict development, implementation, and revision process develop these management system standards consensually. This is an open process designed to keep the standards “evergreen.”8 An evaluative component requires an ongoing audit process to ensure the standards’ processes are being managed effectively. Management system standards have been successfully implemented by organizations in all sectors and of all sizes.9 Adopting the management system standards is most often voluntary, but some industries may apply them as an obligatory standard of care.

Such standards promote flexibility and provide a common set of requirements and reference language between organizations and their customers, regulators, the public, and other stakeholders. They provide direction and assessment criteria for the entire “product chain” and all of management. The result expands responsibility from an individual organization and its activities to the whole product chain and its actions.10 Further, the standards support alliances and facilitate a coordinated effort across national interest areas and across the globe.11 They also emphasize the management of processes and activities independent of an organization’s products and services.

Foundation for Adoption of Management System Standards

There have been a number of calls for adopting formal homeland security preparedness standards both before and after the issuance of HSPD 8, the resulting construction of the National Preparedness Guidelines, and other activities, such as development of federal scenario-based strategic plans. Shortly after the September 11 terrorist attacks, the first National Strategy for Homeland Security included language recommending national standards for emergency response and training, including a certification program for first responders.12 According to Ben Canada,13 some state and local officials called for national preparedness standards, including authoritative rules, principles, or measures against which the quality, level, or degree of preparedness could be measured. These standards could serve as a baseline of preparedness goals for state and local assessment and provide Congress and federal agencies a means to measure the effectiveness of new and existing preparedness programs paid for by federal assistance.

Testifying before the National Commission on Terrorist Attacks Upon the United States (generally referred to as the 9/11 Commission) in 2003, Randall Yim saw standards as improving coordination across federal, state, local, and private sectors and enhancing measurement of continued preparedness.14 Standards, he noted, could clarify the role(s) each organization plays in homeland security, factor in costs, and legal, jurisdictional, and other constraints, and identify ways to embed homeland security criteria into business and government systems in ways compatible with other important social and economic goals. The standards emphasize execution and are particularly suitable for areas requiring stable, reliable, and multi-faceted participation, he noted. Certification to standards also emphasizes both best business practice and standard of care in many industries. They are also scalable and replicable across geographic regions, a central need in homeland security. Later work by Yim and Sharon Caudle,15 Caudle,16 and Caudle and Yim17 further encourages management system standards as appropriate for homeland security preparedness.

More recently, national standards have been proposed in specific areas. Ashley Bowen discusses standards for a minimum number of emergency exercises and a review of emergency plans and practices by a third party to assess their functionality and appropriateness.18 Bowen also believes that federal security grant allocations should be contingent upon a rubric of standards. Paul Light19 recommends that Congress and other policymakers establish voluntary standards for crisis readiness through statutes and award programs. Such standards would include benchmarks for increasing crisis readiness, with oversight by a quasi-independent monitoring agency modeled on federal organizations such as the Security Exchange Commission.

Calls such as these for preparedness standards are informative. Moreover, the widespread and growing use of standards is consistent with a number of significant homeland security management developments. At a minimum, these include the general stabilization and institutionalization of the federal homeland security mission and goals, the availability and use of robust preparedness management system standards, challenges in assessing preparedness capabilities, and considerations of federalism and intergovernmental relations cooperation.

Stabilization and Institutionalization

Over the last several years, there has been a general stabilization and institutionalization of the federal homeland security mission and its goals. In its first issue, the Quadrennial Homeland Security Review Report, intended to present a strategy for the homeland security enterprise as a whole, not just the Department of Homeland Security,20 marginally updated the scope and content of homeland security compared to earlier homeland security doctrine. The 2010 Report detailed key mission priorities and goals for each mission area. It also expanded the definition of homeland security, which is now “a concerted national effort to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards where American interests, aspirations, and way of life can thrive.”21

The Review Report’s mission areas, priorities, and goals are consistent with and only marginally different from those presented in past policy and budget documents. Indeed, they might be characterized as enhancements of policies and resource allocations instead of sea changes in the direction of homeland security. For example, 2010’s mission areas remain virtually the same as those identified in policy documents such as the 2007 National Homeland Security Strategy.22 These include preventing terrorism and enhancing security, securing and managing the borders, enforcing and administering immigration laws, safeguarding and securing cyberspace, and ensuring reliance to disasters. Similar themes are presented in the most recent National Security Strategy, issued by the White House in May 2010.23 According to Christopher Bellavita, most issues defining homeland security over the past several years are now fairly consistent.24 It is reasonable to conclude that substantial stability exists in national homeland security missions and objectives, as well as in policy and operational issues.

Standards’ Availability and Use

A second development is the availability and use of robust preparedness management system standards. A number of national and international voluntary standards are in use today, all containing very similar preparedness management program elements. These standard elements, in turn, are implemented as a complete preparedness program in an organization.

For example, in the United States, the National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs covers disaster/emergency management and business continuity programs. It is intended to establish a common set of criteria for those programs.25 The standard provides the criteria to “develop, implement, assess, and maintain the [all hazards disaster/emergency management and business continuity] program for prevention, mitigation, preparedness, response, continuity, and recovery.”26 The 2007 version of NFPA 1600 incorporated changes to the 2004 edition, including updating aspects of mitigation, preparedness, response, and recovery and adding prevention as a fifth and distinct concept. The 2010 version included changes such as emphasizing the importance of leadership and commitment and new requirements for defining performance objectives. The American national standard, ASIS SPC.1-2009 (Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use), is a comprehensive management systems approach for security, preparedness, response, mitigation, business/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster.27

The American national standard, ASIS/BSI BCM.01-2010 (Business Continuity Management Systems: Requirements with Guidance for Use), also is an accepted standard by the British Standards Institution.28 The international ISO/PAS 223999:2007 Societal Security: Guideline for Incident Preparedness and Operational Continuity Management standard presents principles and elements for an organization’s preparedness and operational continuity. It is designed for private, governmental, and nongovernmental organizations to develop specific performance criteria and an appropriate management system.29

As an illustration, Table 2 provides selected examples of common elements from the NFPA 1600 2010 edition standards. The ASIS SPC.1-2009 and ASIS/BSI BCM.01-2010 standards have consistent elements. Recognized preparedness standards, including those covering business continuity, disaster management, and emergency management, are tested and tailored to organizational needs. Organizational decision-makers focus on their near and long-term preparedness goals, using the standard elements as criteria to develop, implement, and sustain their preparedness programs. These preparedness standards are reviewed continually and revised to reflect new knowledge.

Table 2. Selected Examples of Preparedness Management System Standard Common Elements

Element Selected Examples of Standard Coverage
Program Management
  • Leadership shall demonstrate commitment to the program to prevent, mitigate the consequences of, prepare for, respond to, maintain continuity during, and recover from incidents.
  • Top management shall define, document, and provide resources for the organization management policy.
  • The entity shall establish performance objectives for program requirements.
  • There shall be crisis management procedures to provide coordinated situation-specific authorization levels and appropriate control measures.
  • The entity shall develop and enforce procedures coordinating the access and circulation of records within and outside the organization.
Planning
  • The program shall follow a planning process that develops strategic, crisis management, prevention, mitigation, emergency operations/response, continuity, and recovery plans.
  • Crisis management planning shall address issues that threaten the strategic, reputational, and intangible elements of the entity.
  • The entity shall conduct a risk assessment to identify strategies for prevention and mitigation and to gather information to develop plans for response, continuity, and recovery.
  • The prevention strategy shall be based on the results of hazard identification and risk assessment, impact analysis, program constraints, operational experience, and cost benefit analysis.
Implementation
  • The entity shall establish procedures to locate, acquire, store, distribute, maintain, test, and account for services, human resources, equipment, materials, and facilities procured or donated to support the program.
  • Communication and warning systems shall be reliable, redundant, and interoperable.
  • Emergency operations/response plans shall assign responsibilities for carrying out specific actions in an emergency.
  • The recovery plan shall provide for restoration of functions, services, resources, facilities, programs, and infrastructure.
  • The entity shall develop and implement a training and education curriculum to support the program.
Testing and Exercises
  • The entity shall evaluate program plans, procedures, and capabilities through periodic testing and exercises.
  • Testing and exercises shall be conducted on the frequency needed to establish and maintain required capabilities.
Program Improvement
  • The entity shall improve effectiveness of the program through management review of the policies, performance objectives, evaluation of program implementation, and changes resulting from preventive and corrective action.
  • The entity shall establish a corrective action process.

The elements are in harmony with contemporary work on evaluating emergency management programs. Daniel Henstra provides a framework for evaluating local government emergency management programs.30 His work draws together criteria to evaluate the quality of local emergency management, centered on the planning and capacity necessary for an event that may never occur. He defines a quality management program as “the extent to which a local government has adopted policies to prepare for emergencies, mitigate their impacts, ensure an effective emergency response, and facilitate community recovery.”31 His high-quality emergency program includes preparedness, mitigation, response, and recovery policies. Management system standards also respond to evaluative frameworks for disaster and emergency preparedness, response, and recovery, such as that recommended by Liesel Ritchie and Wayne MacDonald.32 Their work identifies the phases of preparedness, response, and recovery connected to responsibility for the evaluation (intra-organizational, inter-organizational, and system-wide) and how the evaluation will be used (developmental, formative, and summative).

Standards such as NFPA 1600 and ASIS SPC.1-2009 typically offer explicit guidance on the use of the standard and technical experts who can assist with implementation. For example, the explanatory material in NFPA 1600 (2010 edition) covers every element and most of the sub-elements. The material contains a wealth of information to aid in implementation, from definitions to observations on practical decision-making. Supporting annexes cover resources to develop a preparedness program, a self-assessment guide in determining conformity with the requirements, management system guidelines, and other informational references.

To illustrate, one NFPA 1600 program management element (4.1.1) is “The entity leadership shall demonstrate commitment to the program to prevent, mitigate the consequences of, prepare for, respond to, maintain continuity during, and recover from incidents.” The explanatory information states that:

Leadership should identify and have access to applicable legal, regulatory, and other requirements to which the organization subscribes that are related to the organization’s hazards, threats, and risks that are associated with its facilities, activities, functions, products, services, and supply chain, the environment, and stakeholders. The way these requirements apply to its hazards, threats, and risks, and their potential impact should be determined. The organization should document this information and keep it up to date.33

Two national programs already voluntarily implement the preparedness standards. The 9/11 Commission, subsequent legislation, and DHS rules crafted a management system standard program for the private sector. In 2004, the 9/11 Commission stated that the ANSI NFPA 1600 standard should define the standard of care that any company owed to its employees and the public. Adoption of the ANSI standard was considered essential in protecting privately owned critical infrastructure, although the Commission did not mandate the adoption of the standard for emergency preparedness.34 Subsequently, Section 524 of the August 2007 P.L. 110-53 called for DHS to create a voluntary private sector preparedness program and standards, including accreditation and certification processes. The law defined voluntary preparedness standards as “a common set of criteria for preparedness, disaster management, emergency management, and business continuity, programs,” such as NFPA 1600.35

DHS is implementing the requirements through the Private Sector Preparedness Accreditation and Certification Program (PS-Prep). In June 2010, DHS approved three accepted management system standards for the PS-Prep program: ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System; British Standard 25999-2:2007 Business Continuity Management; and National Fire Protection Association 1600: 2007/2010 Standard on Disaster/Emergency Management and Business Continuity Programs. At the end of September 2010, DHS announced a certification program tailored to the needs of small business.36 The work on the PS-Prep program has provided the homeland security community with a more comprehensive understanding of the principles and processes of standards development, which is something it may not have had before.37

A second national effort is the current voluntary Emergency Management Accreditation Program (EMAP), a voluntary review process for state and local emergency management programs. EMAP certifies government programs against standards directly based on NFPA 1600. The accreditation starts with a self-assessment by state, regional, territorial, tribal, county, and municipal government programs responsible for emergency management and homeland security. An independent team of assessors trained by EMAP then evaluates the programs for accreditation, valid for five years. More than thirty programs, mostly state governments, are now accredited.38

Preparedness Progress

A third development is the challenge in assessing preparedness capabilities that are to be built in compliance with the Guidelines. FEMA has that responsibility, with uneven results. The Post-Katrina Reform Act requires each state to submit a preparedness report, including current preparedness capability levels and estimates of needed investments. In recent reports, the Government Accountability Office (GAO) identified a number of ongoing issues with FEMA’s progress in assessing preparedness capabilities and challenges with the overall infrastructure for that assessment and subsequent reporting.39

Of course, the main concern is national preparedness funding and its results. In April 2010, Shawn Reese noted that one issue for further Congressional attention might be the evaluation of DHS assistance to state and localities and its impact. DHS has only taken limited action in assessing to what extent federal grant funding — guided by federal preparedness requirements — has enhanced the nation’s homeland security, if at all. The capability assessment was troubled by grantee self-assessments and reporting, including the lack of analytical training and experience. Reviews of state and urban area management of homeland security grant programs revealed weaknesses in costs, monitoring, and oversight; measureable program goals and objectives; and needs assessment.40 Reese further noted that Congress had appropriated a total of $34 billion for state and local homeland security assistance from fiscal year 2002 through 2009, with fiscal year 2010 appropriations totaling $4.2 billion.41 However, DHS had not reported to what extent this funding has resulted in state and local homeland security capabilities — a key goal of the Guidelines.

The Local, State, Tribal, and Federal Preparedness Task Force 2010 report to Congress noted, as did GAO, that specific, measurable outcomes for preparedness efforts had yet to be defined and assessed. The Task Force interestingly observed that preparedness assessment metrics and targets in any DHS capability level guidance should be based on existing standards, such as the Emergency Management Accreditation Program standards.42 As discussed further in this article, preparedness can be consistently assessed against the standards through well-recognized certification or accreditation processes.

Federalism and Intergovernmental Relations

A fourth development is federalism and intergovernmental relations, specifically the tension between central and decentralized functional control when national interests are at stake. In today’s environment, the interest in national preparedness and intergovernmental relationships might be better served by a cooperative relationship with the end goal of strong preparedness implementation and adaptation in mind — exactly the aim of preparedness management system standards.

The 2001 terrorist attacks and the aftermath of Hurricane Katrina fostered a belief in strong federal control, but with a growing recognition that a more collaborative framework was needed. For example, a year after the 9/11 attacks, John Kincaid and Richard Cole surveyed experts on federalism and intergovernmental relations who believed the terrorist attacks would result in a highly federalized response to terrorism, but with intergovernmental cooperation and coordination.43 Deil Wright also notes that the 2001 terrorist attacks resulted in what he views as a massive shift in federalism and intergovernmental relations. Domestic-targeted terrorism resulted in the national government, initially, and then the new Department of Homeland Security controlling functions that were previously controlled at state and local levels. He advocates a more collaborative relationship fostering joint or concurrent operations.44 Because of national interests, Charles Wise and Rania Nader as well observe there was a demand for federal leadership and top-down decision-making in setting priorities and standards. The perception is that federal preparedness guidelines do not take into account local or regional priorities and needs. However, they also believe federal, state, and local agencies implementing these priorities should be able to adapt strategies more responsive to changing threats and differing local conditions.45

Specifically writing about preparedness, Samuel Clovis noted in 2006 that the homeland security grant programs and federal, state, and local arrangements focused on conditions, one-size-fits-all solutions, compliance, and reporting. He favors much more collaborative approaches. The role of Congress and DHS, he believes, should be to provide guidelines, milestones, and sufficient funding. State and local governments should have maximum flexibility in implementing homeland security programs. Moreover, state and local jurisdictions should collaborate with other jurisdictions where possible in aggregating capabilities.46 In a later article, Clovis observed that the expansion, development, and implementation of directives for HSPD 8 moved the tone and directness from partnering and facilitation to dictates and compliance.47 His judgment is that “HSPD-8 and its spawn could be characterized as a direct assault on the stability of American federalism and intergovernmental relations, particularly in this policy arena.”48

Paul Posner’s work is also instructive. In 2003, Posner noted that a major governance challenge was how to institutionalize preparedness to prevent or better prepare for the next event. He details the emergency of what he called protective federalism.49 In subsequent work, Posner describes trends, over the past forty years, moving toward a more coercive and centralized federalism (including policy actions such as instituting more statutory mandates, grant conditions, and regulation). Importantly, the nationalization of priorities and policies — such as those concerning security — relegated federalism issues to secondary considerations. The federal role in homeland security expanded via intergovernmental grants and mandates because of factors such as the high-stakes national interest and extensive interdependencies. In Posner’s view, the high stakes in particular provided the strong incentive for federal, state, and local leaders to accept regulatory standards. Acceptance meant protection from problems in deciding how much preparedness was adequate. The result, of course, was the Guidelines, which Posner views as a sweeping mandate. Quite simply, Congress, the president, and state and local governments took advantage of the opportunity in responding to a national crisis.50

Now there is recognition that strong federal control may be problematic and might be said to help seed the movement towards management system standards. A 2008 report by the Project on National Security Reform’s Homeland Security Team observed that the primary responsibility and authority for homeland security might have to devolve from the federal to the state level. The report stated that an integrated, national preparedness and operational framework at the federal level may aid, but does not require, interagency coordination and collaboration. Instead of hierarchical controls, the Project believed that a more concrete national governance model should be put in place to achieve national objectives. One of the Project’s suggested solutions was adopting cooperative standard-setting regimes, such as the standards of the National Fire Protection Association, instead of detailed prescriptive requirements such as the Target Capabilities List (TCL) and Universal Task List (UTL).51

Other Decision Considerations

If the Guidelines are replaced by management system standards, then two other issues must be resolved. One is whether the standards should be mandated and another is certification or accreditation processes.

Mandatory Adoption

Normally, management system standards such as those under the PS-Prep program, EMAP, or ISO adoption are voluntary, although compliance with such standards may be seen as part of a legal standard of care across an industry. Caudle has recommended that the current federally developed, top-down preparedness framework be replaced by mandated nationally and internationally recognized consensus management system standards.52

Discussed above are the overall benefits of management system standards operating in a stable policy and doctrine environment. Whether these are mandated or optional depends on expected policy goals. Government agencies could implicitly mandate standards by using them as guidelines for complying with regulatory requirements. Or the agencies may forego a mandatory regulation if they view voluntary compliance as meeting policy goals. This seems to be the legislative and executive branch approach taken with the PS-Prep voluntary standards for the private sector.

The Government Accountability Office53 has identified several mechanisms where the federal government and the states share regulatory objectives. They offer different options for implementation and enforcement. These are described in Table 3.54

Table 3. Shared Regulatory Mechanisms and Implementation/Enforcement Options

Mechanisms Implementation/Enforcement Options
Fixed federal standards

Fixed federal standards that preempt all state regulatory action in the subject area covered

Direct implementation by the federal agency
Federal minimum standards

Federal minimum standards that preempt less stringent state laws but permit states to establish standards more stringent than the federal

Implementation by the states, approved by and under some degree of oversight by the federal agency
Grant conditions

Inclusion of federal regulatory provisions in grants or other forms of assistance as a condition of eligibility to receive support

Combination of federal agency and federally approved state implementation
Cooperative programs

Cooperative programs in which voluntary national standards are formulated by federal and state officials working together

Implementation by the states, approved by and under some degree of oversight by the federal agency
State adoption of externally set standards

Widespread state adoption of voluntary standards formulated by quasi-official entities to provide a uniform approach and virtually national coverage

Direct implementation by the state under its own authority

The last mechanism speaks to the adoption of existing international or national preparedness standards. As GAO points out, other entities, such as the National Fire Protection Association, can set national or international standards for a given material, product, service, or practice. If these externally developed standards are incorporated into a U.S.-ratified treaty or adopted by a federal agency, they have the status of federal law.55 GAO also assessed each of these mechanisms against factors in the federal and state balance in the context of a national regulatory objective. These factors include (1) providing uniform standards and nationwide coverage if essential to the national objective; (2) allowing flexibility where appropriate to that objective; (3) assigning responsibility appropriate to each level of government’s capacity to do the job at hand given the breadth of jurisdiction, enforcement powers, resources, and location; and (4) incorporating accountability to the federal government into the mechanism if essential to achieving the national objective. GAO observed that external standards can provide uniform model standards that states could adopt in their entirety or in part. However, unless these are incorporated into federal regulation, coverage is limited to adopting states (for states may adopt these standards or use others), reliance may be primarily on state capacity, or state agencies are accountable to state officials.56

There are established provisions that can be invoked for mandatory adoption as part of national regulatory frameworks or legislation. The National Technology Transfer and Advancement Act of 1995 and resulting Office of Management and Budget (OMB) Circular A-119 (revised in 1998) mandated federal agencies use management system standards developed by either domestic of international standards bodies instead of federal government-unique standards (e.g., the National Preparedness Guidelines) in their regulatory or procurement activities. The exception would be standards that are inconsistent with law or impractical. Impracticality includes circumstances where use of management system standards would not serve an agency’s program needs; are infeasible, inadequate, ineffectual, inefficient, or inconsistent with the agency mission; or impose burdens that would not be the case if another standard is used. Preferred are performance standards that state requirements in “terms of required results with criteria for verifying compliance but without stating the methods for achieving performance results.”57

The debate over whether these standards should be mandatory or voluntary is ongoing, most often linked to market forces and the need for government intervention. For example, Kathleen Segerson and KPMG Global Sustainability Services and the United Nations Environment Programme (KPMG and UNEP) discuss conditions when voluntary approaches result in the needed protection.58 Segerson, discussing food safety policy, draws on literature covering environmental protection. KPMG and UNEP discuss trends and approaches in voluntary and mandatory standards for sustainability reporting. In a nutshell, KPMG and UNEP observe that voluntary standards and self-regulation have a number of advantages. For example, self-regulation occurs in the same industry or sector, promoting access to more detailed and current information than may be available to government regulators. Organizations can act with greater flexibility and there may be a higher rate of compliance with the self-interests of the sector being protected. On the other hand, self-regulation may mean conflicts of interest, inadequate sanctions, under-enforcement, and insufficient resourcing.

Mandatory standards have a number of advantages, such as providing credibility in using recognized guidelines, allowing comparability of practices and promotion of standardization, providing a standard of care for legal disputes, and addressing market failures for social welfare. Disadvantages include regulators’ lack of knowledge of the industry, inflexibility when there are changing circumstances and technologies, the lack of incentive for innovation, and the possible addition of costs that undermine efficiency and competitiveness. Segerson argues that adequate consumer protection may need mandatory standards if consumers cannot readily detect safety characteristics or risks and it is not certain that firms would be held liable for damages.

If standards are legislatively mandated, Keith Bea cautions that they could be viewed as an unfunded mandate on state and local governments.59 Mandates also can be seen as interfering with state and local sovereignty or private sector business practices. However, Susan Clarke and Erica Chenoweth argue a regulatory preparedness approach provides incentives for local capacity for, and commitment to, preparedness.60 This latter point is important because there have been calls for a return to federalism and Constitutional limits on the power of the federal government (see, for example, articles by Kenneth Jost and Matt Mayer and Lee Baca).61 It is also important to remember that the Guidelines are tied to federal funding, and adherence to preparedness management system standards could be readily tied to homeland security grants.

Even with the political will to make the change, there may be disagreement over what policy option is best to make the transition to preparedness management system standards. According to NIST, government agencies can adopt standards in several regulatory ways. They can adopt them without change. They might grant a strong deference to standards for a specific purpose. Government agencies also could revise a standard and publish it as a proposed regulation or permit adherence to a specific standard as a way of complying with a regulation.62 For example, Congress might legislate, and the president approve, the stipulation of regulations to replace the Guidelines with one or more existing preparedness management system standards. This would ensure a solid link to federal financial assistance and considerable funding opportunities for state and local governments in compliance with the preparedness standards. Federal agencies would be governed through the budgeting process.

Unless mandated, it appears that the only overt incentive is “standard of care” pressure to adopt management system standards. In fact, the slow penetration of standard adoption in the private sector on a voluntary basis resulted in a report card grade of “C” from the 9/11 Public Discourse Project in 2005, the successor to the 9/11 Commission.63 Voluntary standards may result in uneven or low levels of preparedness because of factors such as insufficient resourcing and under-enforcement. Advantages such as using recognized guidelines and promoting standardization are important for national consistency, collaboration, and the sharing of better practices.

Certification or Accreditation Requirements

Decisions will be required on certification or accreditation requirements to evaluate conformation with the standards for organizations responsible for national preparedness. In the standards community, certification means an independent external body has audited an organization’s management system and the organization’s system conforms to the standard.64 It could be claimed that formal certification requirements should exist where national preparedness is involved. The rationale is that the National Preparedness Guidelines are intended to emphasize preparedness for hazards that may result in disasters or catastrophes requiring rapid and coordinated national action. Using management standards in lieu of unique federally developed standards such as the Guidelines would require substantial compliance with the preparedness standards.65 Unless there is a recognized certification process beyond self-certification, many would argue that the regulatory adoption of the management system standards is meaningless.

Implementing a certification program will create a number of practical difficulties, beginning with the number of entities needing certification. Undoubtedly one approach would be to establish authority for certification against the management system standards. Disaster or catastrophe preparedness would seem to indicate that, at a minimum, the organizations subject to standard certification in a first phase should be states, the large urban areas, and the private sector responsible for critical infrastructure. In the past, DHS has struggled with its own certification of homeland security plans of states and urban areas and assessing general preparedness.66 Work on the current voluntary private sector accreditation and certification preparedness program could be instructive in expanding certification to federal, state, and local government agencies involved in homeland security preparedness. The EMAP mentioned earlier also might serve as a model for certification. Certification could either be done by a similar body or by federal staff now allocated to the current federal homeland security Guidelines. Those components that might support preparedness technical assistance could be retained at the federal level with DHS, or placed in an existing university or center of excellence geared to technical assistance.

Summary and Conclusion

A key “take away” is that the actual standard elements are succinct and contained in a small number of pages that are supplemented by explicit guidance for use. The language used in Table 2 is actual standards language. Organizations who implement these standards are expected to assess their structure, processes, and security needs and develop their own management systems and performance criteria. This is in stark contrast to the Guidelines and supporting voluminous components such as the Universal Task List and the Target Capabilities List, where organizations are faced with hundreds of pages of direction and guidance. However, the full set of elements across the existing preparedness management system standards is completely consistent with the intent of the National Preparedness Guidelines without its prescriptive specificity. For example:

  • The preparedness standards call for identifying potential hazards and threats and assessing risks and impacts appropriate for any organization. These hazards and threats include natural hazards, accidental and intentional human-caused events, and accidental and intentional technologically caused events. The Guidelines emphasize preparedness for a number of high-consequence threat scenarios, including potential terrorist attacks and natural disasters.
  • The standards call for each organization to analyze its organizational and stakeholder requirements and define those processes that contribute to its overall success. Each organization is to manage its own preparedness actions, such as those to determine roles and responsibilities, manage preparedness and response resources and mutual aid agreements, maintain plans and procedures, and train and exercise to test capabilities. They foster integration with quality, safety, environmental, information security, risk, and other management systems within an organization. They emphasize the role of other organizations — partners — in preparedness, such as through mutual aid or direct support. The Guidelines detail more than 1,600 unique tasks to build capabilities that communities, the private sector, and all levels of government should collectively share. The many states that have already been certified under the Emergency Management Accreditation Program speak the efficacy of management system standards.

That said, adoption of management system standards certainly will test the mettle of many organizations. Rodger Holdsworth cautions that many organizations wanting to establish a management system do not fully understand that formal management systems truly are formal or documented.67 For an organization to transition from an informal or semi-formal approach in managing its operations to a more effective formal approach requires careful planning, organization, and clear goals and objectives. The program elements in a standard assist in planning and organizing what must be established and implemented to reduce risk and assist owners, as well as regulators, in measuring performance to specified requirements. Holdsworth also notes that audits have shown that management systems evolve, not by design, but over time based upon process specific, regulatory and company needs and or requirements.

This observation is supported by work by Neil Gunningham and Darren Sinclair,68 who highlight concerns with moving to process and management system standards, which they call management-based regulation. Such regulation encourages organizations to put in place processes and management systems that are least-cost, flexible solutions ensuring consistency across the organization and more than compliance with minimum legal standards. However, they suggest that there might be different levels of commitment to standards and capacity to implement them within the organization’s hierarchy and cultures. They argue that management-based regulation works well when standards are institutionalized beyond corporate management and are supported by informal systems of trust, commitment, and engagement.

Without a doubt, there will be ongoing uncertainty in meeting and sustaining the commitment and capacity need to comply with the elements of the preparedness management system standards. For some, the very detailed and voluminous requirements of the current Guidelines provide a convenient cover for decision-making, particularly in the absence of a strong audit or oversight mechanism. The standards for preparedness are much more concise for clarity of management attention and define specific preparedness program elements, coupled with considerable flexibility in actions, to meet required program elements. Accountability comes from the central program element in the standards requiring audits and possible certification.

Overall, this article has argued that a number of trends support the adoption of management system standards. Management system standards can be adopted by all organizations, regardless of size, type of product or service, culture, or location. Standards provide a common preparedness language for all involved organizations, seamless integration with other management systems such as those for quality and safety, a transparent and consistent development and revision process, and supporting guidance and expert assistance. By adopting and complying with these established standards, organizations should be in a much better position to craft preparedness programs appropriate for their situation, their preparedness partners, the entire preparedness product chain, and the public expectation for homeland security results and accountability. Transitioning to management system standards for all levels of government will confront a number of challenges, but these are outweighed by the benefits.


Dr. Sharon Caudle is the Younger-Carter Distinguished Policymaker in Residence at the Bush School of Government and Public Service, Texas A&M University.
She also is a senior fellow of The George Washington University’s Homeland Security Policy Institute.
She has authored numerous articles and book chapters on topics ranging from public performance management to homeland security issues.
Dr. Caudle may be contacted at scaudle@bushschool.tamu.edu.

  1. White House, Homeland Security Presidential Directive 8 (Washington, DC: Executive Office of the President, December 17, 2003).
  2. HSPD 8 was replaced by Presidential Policy Directive 8 in March 2011. The overall thrust of the new directive is the same as HSPD 8, calling for completing the national preparedness goal and national preparedness system.
  3. Public Law 109-295, October 4, 2006, 120 STAT. 1355.
  4. Department of Homeland Security, National Preparedness Guidelines (Washington, DC: Department of Homeland Security, September 2007).
  5. Ben Canada, Homeland Security: Standards for State and Local Preparedness (Washington, DC: Congressional Research Service, updated October 8, 2003).
  6. Steven M. Spivak and F. Cecil Brenner, Standardization Essentials: Principles and Practice (New York: Marcel Dekker, Inc., 2001).
  7. American National Standards Institute, Standards Activities Overview, http://www.ansi.org/standards_activities/overview/overview.aspx?menuid=3; International Organization for Standardization, Management Standards, , http://www.iso.org/iso/iso_catlogue/; American National Standards Institute, United States Standards Strategy, http://www.ansi.org/usss/.
  8. International Organization for Standardization, Management standards, http://www.iso.org/iso/iso_catalogue/.
  9. ISO’s journals, ISOFocus+, ISO Focus, and ISO Management Systems, provides numerous examples of implementation and results. See http://www.iso.org/iso/pressrelease.htm for access to these publications.
  10. Tine Jorgensen, “Towards More Sustainable Management Systems: Through Life Cycle Management and Integration,” Journal of Cleaner Production 16 (2008): 1071-1080; International Organization for Standardization, Management Standards.
  11. American National Standards Institute, United States Standards Strategy.
  12. Office of Homeland Security, National Strategy for Homeland Security (Washington, DC: Office of Homeland Security, July 2002).
  13. Canada, Homeland Security: Standards for State and Local Preparedness.
  14. Randall Yim, Homeland Security: The Need for National Standards (Statement to the National Commission on Terrorist Attacks Upon the United States, November 19, 2003).
  15. Randall Yim and Sharon L. Caudle, “Homeland Security: Using Standards to Improve National Preparedness,” ISO Management Systems, 4, no. 1 (2004): 15-18.
  16. Caudle, Sharon L, “Homeland Security: Approaches to Results Management,” Public Performance & Management Review, 28, no. 3 (2005): 352-375.
  17. Sharon L. Caudle and Randall Yim, “Homeland Security’s National Strategic Position: Goals, Objectives, Measures Assessment,” in The McGraw-Hill Homeland Security Handbook, ed. David G. Kamien (New York: McGraw-Hill, 2006), 225-261.
  18. Ashley A. Bowen, “Are We Really Ready? The Need for National Emergency Preparedness Standards and the Creation of the Cycle of Emergency Planning,” Politics & Policy, 36, no. 5 (2008): 834-853.
  19. Paul C. Light, Predicting Organizational Crisis Readiness: Perspectives and Practices toward a Pathway to Preparedness (New York: New York University Center for Catastrophe Preparedness and Response, 2008).
  20. Department of Homeland Security, Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland (Washington, DC: Department of Homeland Security, February 2010).
  21. Quadrennial Homeland Security Review Report, 13.
  22. Homeland Security Council, National Strategy for Homeland Security (Washington, DC: Homeland Security Council, October 2007).
  23. The White House, National Security Strategy (Washington, DC: The White House, May 2010).
  24. Christopher Bellavita, “Changing Homeland Security: In 2010, Was Homeland Security Useful?” Homeland Security Affairs, 7, article 1 (February 2011).
  25. National Fire Protection Association, Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition (Quincy, MA: National Fire Protection Association, 2010).
  26. National Fire Protection Association, Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition, chapter 1.
  27. ASIS International, Organizational Resilience: Security, Preparedness and Continuity Management Systems–Requirements with Guidance for Use American National Standard ASIS SPC.1-2009 (Alexandria, VA: ASIS International, 2009).
  28. ASIS International, Business Continuity Management Systems: Requirements with Guidance for Use American National Standard ASIS/BSI BCM.01-2010 (Alexandria, VA: ASIS International, 2010).
  29. International Organization for Standardization, Societal Security—Guideline for Incident Preparedness and Operational Continuity Management ISO/PAS 22399 (Geneva: International Organization for Standardization, 2007).
  30. Daniel Henstra, “Evaluating Local Government Emergency Management Programs: What Framework Should Public Managers Adopt?” Public Administration Review 70, no. 2, (2010): 236-246.
  31. Henstra, “Evaluating Local Government Emergency Management Programs,” 238.
  32. Liesel Ashley Ritchie and Wayne MacDonald, ”Enhancing Disaster and Emergency Preparedness, Response, and Recovery Through Evaluation,” New Directions for Evaluation 126 (2010): 3-7.
  33. Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition, 6, 12.
  34. National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report (Washington, DC: Government Printing Office, 2004).
  35. Public Law 110-53 added this definition to Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).
  36. Details on DHS’s Voluntary Private Sector Preparedness Accreditation and Certification Program can be found at http://www.fema.gov/media/fact_sheets/vpsp.shtm.
  37. Diana Hopkins, A White Paper on Expediting National Standards Development Through Training (Rockville, MD: Solutions for Standards, April 2008).
  38. Emergency Management Accreditation Program, http://www.emaponline.org.
  39. Government Accountability Office, FEMA Has Made Limited Progress in Efforts to Develop and Implement a System to Assess National Preparedness Capabilities (Washington, DC: Government Accountability Office, October 2010); Government Accountability Office, National Preparedness: FEMA Has Made Progress, Needs to Complete and Integrate Planning, Exercise, and Assessment Efforts (Washington, DC: Government Accountability Office, April 2009).
  40. Shawn Reese, Department of Homeland Security Assistance to States and Localities: A Summary and Issues for the 111th Congress (Washington, DC: Congressional Research Service, April 30, 2010).
  41. Reese, Security Assistance to States and Localities, 19-20.
  42. Local, State, Tribal, and Federal Preparedness Task Force, Perspective on Preparedness: Taking Stock Since 9/11 (Washington, DC: Local, State, Tribal, and Federal Preparedness Task Force, September 2010).
  43. John Kincaid and Richard L. Cole, “Issues of Federalism in Response to Terrorism,” Public Administration Review 62, special issue (2002): 181-192.
  44. Deil S. Wright, “Federalism and Intergovernmental Relations: Traumas, Tensions, and Trends,” Spectrum: The Journal of State Government 76, no. 3 (2003): 10-13.
  45. Charles R. Wise and Rania Nader, “Developing a National Homeland Security System,” in Intergovernmental Management for the 21st Century, eds. Timothy J. Conlan and Paul L. Posner (Washington, DC: Brookings Institution Press, 2008) 77-101.
  46. Samuel H. Clovis, Jr., “Federalism, Homeland Security and National Preparedness: A Case Study in the Development of Public Policy” Homeland Security Affairs, II, no. 3 (October 2006), https://www.hsaj.org.
  47. Samuel H. Clovis, Jr., “Promises Unfulfilled: The Sub-Optimization of Homeland Security National Preparedness” Homeland Security Affairs, IV, no. 3 (October 2008), https://www.hsaj.org.
  48. Clovis, Jr., “Promises Unfulfilled,” 4.
  49. Paul L. Posner, “Homeland Security and Intergovernmental Management: The Emergence of Protective Federalism,” paper presented at the annual meeting of the American Political Science Association, Philadelphia, August 28-31, 2003.
  50. Paul Posner, “The Politics of Coercive Federalism in the Bush era,” Publius: The Journal of Federalism 37, no 3 (2007): 390-412.
  51. PRNSR Homeland Security Team, State/Local Issue Team Solution Set November 25, 2008, p. 61-62, http://pnsr.org/data/images/state-local%20final%20problem%20analysis.pdf.
  52. Sharon L. Caudle, “An Option for Homeland Security Preparedness Requirements: Consensus Management System Standards,” Public Performance & Management Review 33, no. 1 (2009): 141-155.
  53. Government Accountability Office, Regulatory Programs: Balancing Federal and State Responsibilities for Standard Setting and Implementation (Washington, DC: Government Accountability Office, March 2002).
  54. Government Accountability Office, Regulatory Programs, 7-10.
  55. Government Accountability Office, Regulatory Programs, 23.
  56. Government Accountability Office, Regulatory Programs, 26-27.
  57. Office of Management and Budget, Circular no. A-119 revised (Washington, DC: Office of Management and Budget, February 10, 1998), 3.
  58. Kathleen Segerson, “Mandatory Versus Voluntary Approaches to Food Safety,” Agribusiness 15, no. 1 (1999): 53-70. KPMG Global Sustainability Services and United Nations Environment Programme (KPMG and UNEP), Carrots and Sticks for Starters: Current Trends and Approaches in Voluntary and Mandatory Standards for Sustainability Reporting. http://ec.europa.eu/enterprise/policies/sustainable-business/corporate-social-responsibility/reporting-disclosure/swedish-presidency/files/surveys_and_reports/carrots_and_sticks_-_kpmg_and_unep_en.pdf.
  59. Keith Bea, Emergency Management Preparedness Standards: Overview and Options for Congress (Washington, DC: Congressional Research Service, updated August 30, 2006).
  60. Susan E. Clarke and Erica Chenoweth, “The Politics of Vulnerability: Constructing Local Performance Regimes for Homeland Security,” Review of Policy Research 23, no. 1. (2006): 95-114.
  61. Kenneth Jost, “States and Federalism,” CQ Researcher 11, no. 36 (2010): 847-867. Matt A. Mayer and Lee Baca, “Want Homeland Security? Give State and Local Governments a Real Voice,” Heritage Foundation Backgrounder 2467, http://report.heritage.org/bg2467.
  62. National Institute of Standards and Technology, Standards.gov.
  63. Thomas H. Kean and Lee H. Hamilton, 9/11 Public Discourse Project (Washington, DC: The 9/11 Public Discourse Project, 2005).
  64. International Organization for Standardization, Management Standards.
  65. Hal Stratton, International Harmonization of Consumer Product Safety Standards. May 24, 2005, Remarks to the 2005 ISO COPOLCO Workshop.
  66. Bowen, “Are We Really Ready?” and Federal Emergency Management Agency, The Federal Preparedness Report (Washington, DC: FEMA, January 13, 2009).
  67. Rodger Holdsworth, “Practical Applications Approach to Design, Development, and Implementation of an Integrated Management System,” Journal of Hazardous Materials 104 (2003): 193-205.
  68. Neil Gunningham and Darren Sinclair, “Organizational Trust and the Limits of Management-Based Regulations,” Law & Society Review 43, no. 4: (2009): 865-900.

This article was originally published at the URLs https://www.hsaj.org/?article=7.1.14 and https://www.hsaj.org/?fullarticle=7.1.14.

Copyright © 2011 by the author(s). Homeland Security Affairs is an academic journal available free of charge to individuals and institutions. Because the purpose of this publication is the widest possible dissemination of knowledge, copies of this journal and the articles contained herein may be printed or downloaded and redistributed for personal, research or educational purposes free of charge and without permission. Any commercial use of Homeland Security Affairs or the articles published herein is expressly prohibited without the written consent of the copyright holder. The copyright of all articles published in Homeland Security Affairs rests with the author(s) of the article. Homeland Security Affairs is the online journal of the Naval Postgraduate School Center for Homeland Defense and Security (CHDS). https://www.hsaj.org

No Comments

Post a Comment