At the Educational Testing Service (ETS), education is everything. The nonprofit organization is dedicated to advancing quality and equity in education for people worldwide by creating assessments based on rigorous research. Founded in 1947, ETS develops, administers, and scores more than 60 million tests annually – including the TOEFL® and TOEIC® tests, the GRE® tests and The Praxis Series® assessments – in more than 180 countries, at over 9,000 locations worldwide.
In the same way that ETS is committed to excellence in the services they deliver, they are committed to excellence in how they manage business continuity. ETS’s Business Continuity Management System has been certified to the BS-25999 certification since 2009 and is now certified to the ISO-22301 standard. Considering the rigor associated with ISO certification, we wanted to hear why ETS took this unusual step – most organizations in the industry are content to align themselves with ISO guidelines, but do not seek certification. We interviewed Dr. Timothy Mathews, Executive Director of Enterprise Resiliency at ETS, to learn the story behind the certification and to discover the role the Fusion Framework® System™ plays in supporting this significant accomplishment.
This Business Continuity Program Earned Top Marks!
ETS’s Enterprise Resiliency Team won both the North America Business Continuity and Global Continuity and Resilience Team of the Year awards from the Business Continuity Institute (BCI) in 2015. The award recognizes ETS’s high level of training and readiness to carry on its critical operations in case of a natural or human-made disaster. One example was ETS’s effective response to Super Storm Sandy, the deadliest and most destructive hurricane of the 2012 Atlantic hurricane season, and the second-costliest in United States history.
Achieving and maintaining ISO-22301 certification is not a simple task. Why did ETS decide to pursue certification?
We did so for two main reasons. First, we do a lot of global work. Many of our tests are international assessments, recognized around the world as global brands. Therefore, we wanted to embrace the international ISO standard. It demonstrates to our international customers that we are not just wired in to an American standard. We’re an organization with global responsibility, and we take that seriously in every area of our business.
Second, we work with a lot of large governmental organizations – federal, state, and local – and with departments of education and university systems around the world. All these organizations have formal and rigorous Request for Proposal (RFP) processes. One component of every RFP addresses business continuity and disaster recovery. In the absence of a standard, you have to determine how to craft your response for each RFP, which consumes a huge amount of time. It was eating up six to eight weeks of staff time in my department each year. And, there was always the risk of miscommunication or misunderstanding, which could hurt the RFP process.
However, all organizations are familiar with ISO standards. We now have a pre-defined RFP response document that describes our business continuity management system in the context of the ISO-22301 standard, which has reduced our team’s workload by an order of magnitude. The response clearly lays out our program and provides our certification number, so that an independent person can validate our certification.
Define the scope and scale of your resilience program.
Define the policies and procedures that govern the program, e.g., business impact assessments, plan development and testing, communication, etc.
Define business continuity recovery strategies and arrangements.
Exercise plans and strategies in a three-year cycle.
Capture artifacts to demonstrate compliance.
Build awareness across the enterprise.
Conduct annual audits and third-party certification assessments.
Has ISO certification given you a competitive edge in the marketplace?
Absolutely. ISO certification gives our customers an important level of trust in ETS. For example, in competitive situations, we are able to tell our clients that we are so confident in our ability to deliver our services even in a disaster situation that we’re certified in our abilities. We wear the certification like a badge.
Companies have complete freedom to determine the scope of the program they want to submit for ISO certification. For example, some companies choose only to have their headquarters ISO-certified, but not their branch facilities. What is the scope of ETS’s program?
We take ISO certification very seriously. The scope of our program is our entire process. It involves our research and development, assessment development, test administration and delivery processes across multiple locations and multiple datacenters. It covers just about everything we do.
What led you to move to the Fusion Framework System to support your program?
We did a formal RFP process, and awarded the business to Fusion Risk Management for several reasons. First, the architecture that Fusion embraces – a software-as-aservice (SaaS) architecture with leading-edge technology – is very much aligned with our needs and desires.
Second, there is a lot of wisdom and experience in the Fusion team that we felt we could leverage. So, not only was the solution the right solution, but the people behind the solution are the right people.
Third, Fusion has momentum in the marketplace. They are on a solid trajectory in terms of mindshare, which has been evidenced by their strategic hires. They are constantly enhancing their product and services, and innovating for the benefit of their customers. We are very confident about where Fusion is today and where they are heading.
How has the Fusion Framework helped you maintain your world-class ISO-certified business continuity program?
Fusion has greatly helped us to maintain the ISO requirement to have an enterprise-level awareness of the program through its user friendly interface and the convenience of single sign-on. We have over 500 people in the organization who are tasked with maintaining, approving, or participating in activities. With our previous system, it used to be a struggle to get users to log in, and it was even more difficult for them to use. In contrast, the Fusion Framework is simple to login to and easy to use, so people enter and exit the system on a much more frequent basis.
The graphical dashboard reporting has also contributed significantly to aiding awareness at the executive level. It motivates management to engage with the program because they see data and actionable items presented the same way they receive information from other parts of the business.
Certainly, there are a lot of technical aspects to the Fusion Framework that we love and that make it great – such as automation, configurability, a procedure library, and more – but from the ISO perspective, it has given us the ability to demonstrate conclusively to auditors that our organization is aware of, supports, and engages with the program.
Ready to Learn More?
Contact us to see how choosing Fusion can help you choose success.