So far this journey has covered…
1) My Initial Views on Undertaking an ISO 22301:2012 Audit
2) Our Pre-Certification Audit
3) The Final Days of Prep
And now finally we are at stage 1! Here are my thoughts and feelings from the 2 days it took to review and assess our management system.
I’m not sure how it works with all accredited auditing bodies but the one we are using provided us with a plan of how we would collectively move through the 2-day assessment. I’m pretty sure you can challenge the structure to suit your needs but on face value, the agenda looks fairly innocuous…calm before the storm perhaps?
The introductory statement from the auditors was fair, advising that it's okay to have minor nonconformities which they defined as a single lapse against the required standard. The threshold of course meaning once you enter double figures then there should be some serious questions asked of the integrity of your system. This is in a similar sort of way to failing your driving test. Obviously a major nonconformity will result in failure and subsequent need for a re-assessment which pushes the entire process back. This is not a good thing if you have been given a deadline by a client to achieve certification!
The small world of BC…
As our visitor arrives at the building, I immediately recognise a familiar auditing face from a previous role. Thankfully, my experience of this particular individual was relatively good. From memory they were a very friendly and capable professional so it would be fair to say it was a welcome arrival. It did get me thinking though. What would have happened if our previous experience had been bad? Naturally we are all professionals but we work in a small community of peers and it is definitely something that needs to be considered. The BC world is minute by other industry standards and you won’t get on with everyone but bear this in mind my fellow junior professionals. Do not burn-bridges!
Beware of Absolute Plagiarism
Off the back of this chance encounter another thought did cross my mind. These individuals who work across our industry no doubt bear witness to a plethora of fairly similar documentation, some of which is sensitive and in some cases copyrighted. Regardless of what anyone will tell you, between friends, colleagues and peers within our industry, unofficial sharing does occur. Nevertheless this would put an auditor in a delicate position. Perhaps this individual had spent the previous week with a client say a retail bank for example and then a subsequently moved across to a competitor the following week but then finds that their BCMS framework and documentation is virtually the same? What if the initial client had copyrighted or protected said documents? Confidentiality is quoted by the audit body throughout their process so I’m not sure how this would work but once again, something to consider.
Greater Context of the Organisation
The initial discussions at the very beginning were as the auditor described “training the auditor” by which I mean, clarifying the business, the location and the scope of the audit before moving forward with the rest of the assessment. The gist of this is to focus the attention of the auditor and make sure everyone in the room is on the same page. It surprised me just how quickly the stall that had we set out as “our organisation” was picked a part by the auditor…and they hadn’t even looked at a single document yet! These guys are good.
Don’t put all your Eggs in one Management Review Basket
I’ve read several times in the past that the management review section for the standard can be broken up across the year rather than include all items on to one agenda for one meeting per month. This was suggested by our auditor and historically I have disagreed. This is because I was much more comfortable with covering off all items in one meeting but the ISO 22301 clause 9.3 requires us to cover off so much at these meetings that I think it’s far too challenging to do it all in one go. We definitely need to break it up!
Capture genuine progress at all times - It needs to look organic!
A professional can to some extent hide behind the documented procedures produced but you can’t hide behind dates and version control, unless you fraudulently backdate your documentation which is a potential minefield for being caught out. An auditor will be able to see very quickly that you have built something in haste during the preceding weeks to their arrival. This does not demonstrate a management system is in place but rather something that has just been built providing no evidence of implementation.
This can be achieved by logging BC related decisions, keeping a record of minutes that cite any BC related detail even in its infancy. Log opportunities from training already undertaken also. It might not seem very important in the absence of framework but its recorded evidence which appears to carry a great deal of weight in these audits.
Under Audit Arrest
Anything you do say may be taken down and used as evidence against you or at least that’s how it seems. In the realms of any audit there is an interesting paradox I’ve found. Some argue that you need to layout every single document you have out on the table for the auditor and make sure you acknowledge every working detail of the system. Then there are others who suggest that you should only give the auditor what they need. Until this assessment I would have laid everything out but now I find myself changing my approach to the later. This change in approach was reaffirmed by a throw-away comment on day one made by our auditor who mentioned “the more you say – the more you are accountable for”. Give them what you think they need and keep the remaining war chest of documentation on standby ready to support.
This also goes for what you say when sat with an auditor. They have an impressive skill to pick out nonconformities in what you say. You have been warned.
The Human Element of the Management System
If you are going to build some shiny new document or highly technical wonder-spreadsheet / database for BC you really need to account for who is going to have an interest or those who might be affected by it at any stage. Some seemingly benign throw-away statement in a document could have huge ramifications on a particular service or individual. This links quite neatly into the interested parties’ clause within the standard. I implore anyone going through this process to really sit down before hand and consider literally ANYONE who could be affected by what you are doing and how. You will be asked.
Searching for a BC Needle in a BC Hay Stack
Something i'm starting to realise now is the greater attention required for follow up. The introduction of a management system is filled with statements advising how something is to be done but in the context of the continual improvement; more meat needs to be added to the bones. Saying you’re going to do something and providing evidence that it has been done is simply not enough. For instance if you find a nonconformity or an opportunity for improvement, you will need to assign it appropriately, specify acceptance criteria for completion, allocate a timescale and report progress (or not) to senior management and then assurance that the new product or procedure works effectively. BC actively working off the spreadsheet...
These are just my thoughts from one of my first audits and I hope my observations help you in some way. To supplement my ramblings I would highly recommend Hilary Estall’s article on common trends in achieving the standard as well as her book that explains certification and implementation. Overall it was quite an experience with months of preparation and not really knowing what to fully expect as a junior professional. We were successful at stage 1 with only 2 minor nonconformities but we now have less than a month to prepare for stage 2. I will keep you posted!