So here we are….the final stage of my journey and I have undergone circa 50 hours of intense audit. Those who have kindly followed these events thus far will know that I have actively tried to provide a chapter for each stage of the process. The idea being that I could provide an easy-to-understand perspective from a junior professional who is currently going through the experience.
What Actually Happens (In Plain English)…
Friday, 28 March 2014
The Final Chapter of Certification – The ISO: 22301 Stage 2 Audit and Successful Certification
For those of you who aren’t in the industry I just wanted to clarify the process of achieving certification in its simplest terms (from what I can tell):
1) Decision to Certify - an organisation decides it wants to prove that it can bounce back from (or prevent) conceivable business disruptions e.g. denial of work premises, staff shortages, supplier failure etc. This might be due to a contract requirement for new business (meaning a potential client is basically saying “If you don’t get a certificate to prove you’re reliable we won’t be doing business with you”).
2) Appoint an Accredited Certification Body - one of the most widely known certificates you can achieve is the International Standard for Business Continuity known as ISO 22301:2012. This is basically a long list of things that you must have in place and are readily able to demonstrate to an auditor. The list contains mostly a combination of documents and processes about your organisation’s back-up arrangements.
3) Gap Analysis - once an independent (and accredited) certification body is assigned, you can invite them to come and undertake what they call a “pre-certification audit” which is essentially a gap analysis to gauge how far off the pace you are compared to what is required.
4) Stage 1 - This is basically where you provide the auditor with all the documented evidence they require e.g. meeting minutes, training reports, post incident reports etc. This usually takes a couple of days of intense document checking and face-to-face discussions.
5) Stage 2 – This is where the auditor will come back at a later date (and for the better part of a week) to follow up on the gaps that they spotted during Stage 1 and also to look for wider evidence to demonstrate an appreciation and understanding of business continuity. This will include things like site tours, interviews and random questioning of staff etc.
All being well you are given a positive recommendation to be certified and following their internal governance checks you receive your certification! It sounds so easy right?
From Small Acorns...Great Oak Trees Grow!
The experience of achieving certification will differ greatly depending on the individual approach, the size and sector of the organisation, the maturity of the existing business continuity arrangements and of course the available/dedicated resources. Although it’s fair to say the process never goes exactly how you expect it to.
Have you ever watched those animated Ice Age movies? If so, you will have no doubt been introduced to a character by the name of “Scrat”, a kind of squirrel-type species who’s absolutely obsessed with collecting acorns but is constantly forced to overcome challenges when collecting them. He sometimes appears to succeed right before the next unforeseen obstacle. Well… if you put Scrat in a suit and change the acorn with an ISO Certificate you will give yourself a better idea of what it’s like to experience this process when starting quite literally from “Scrat-ch”.
To better explain my sub-zero analogy, an organisation’s commitment to achieve certification and the subsequent gathering of pace to get things in the right place often leads to even bigger obstacles/challenges being unforeseen or at least not as widely appreciated as perhaps they should be. For example, be careful not to build documents and spreadsheets to meet the audit requirements that are overly complicated as it can become unmanageable in the future! First lesson learned here…
Perhaps one of the first challenges I faced in this process was maintaining business as usual activities (BAU) while ensuring readiness for the forthcoming audit. In the absence of a sizable team, the battle between BAU activities and Certification Prep can be a real stretch. For example, in BAU you could be in the middle of a producing your annual report, delivering a training event or perhaps in the midst of Work Area Recovery Site testing. This would all still have to be achieved while ensuring you ticked every box for audit. I suspect those organisations with a well embedded business continuity profile or with a larger pool of resource will suffer less from this than those with only one or two staff. Nevertheless this is a crash course in business continuity plate-spinning so I would recommend that you take time to plan resources ahead of time. Simple advice but easily overlooked.
During Stage 1 the auditor is reasonable enough and if you can present enough basic evidence with some well-articulated intentions to improve then they will often give you the benefit of the doubt. Naturally, this is on the condition that you provide evidence of progress/completion on their return.
Be mindful to capture all the statements, promises and intentions that you make during Stage 1 because it’s one of the first things they look for when they walk back through the door. Cover yourself! Particularly with those minor nonconformities (if any) as they will expect you to have those closed off (as a bare minimum).
Try to see the two stages of the audit as a single process but delivered on different days. The line between Stage 1 and 2 is dangerously blurry. I’ve previously made the mistake of separating the two stages as stand-alone projects but it doesn’t work like that. I think if you fail to appreciate this then simple mistakes can happen. For instance, if your organisation flies through the first stage of document checks you will need to remind yourself that either the same auditor will return for Stage 2 or at the very least provide a comprehensive report for their incoming colleague. This means that you shouldn’t be satisfied that a stage 1pass is entirely final and you need to continually improve. On arrival at Stage 2 you will either get a new set of critical eyes OR you will get someone who already knows your system but has had more time to provide a greater critique. For example, I kept hearing the phrase “on reflection” right after they spotted something they perhaps overlooked. My point being is that you can still essentially fail Stage 1…at Stage 2 so keep working on developing your documentation!
A major part of Stage 2 is for the auditor to undertake a number of meetings with individuals who typically have an involvement or are affected by the Business Continuity Management System (BCMS). Arguably this could be everyone in the business but first and foremost we are talking about the following:
• Business Continuity Executive Sponsor – Board Representation
• Decision Makers – Working Group Chair and Group
• Plan Owners
• Those stated to have a role within the planning documentation
In my experience those who are interviewed can vary greatly in their “performance”. An auditor once told me that they interviewed a legal firm for their Stage 2 where the solicitors had no obvious knowledge of their organisation’s BCMS but were able to articulate around the subject as if they did. In contrast, operational managers in other organisations, with a high degree of exposure have visibly crumbled under questioning despite knowing all the answers! Of course this is difficult to manage and so the most effective thing you can do is send out a consistent message of business continuity across the business. One easy way to fend off this potential challenge may be to carry out a series of mock interviews with your staff. This not only gives them some additional training but allows them to become more comfortable with the process.
I also think it’s valuable to commit some of your time to comforting those likely to be interviewed in the preceding weeks before Stage 2. They need to be assured that they know everything they need to and that the auditors are good people and they won’t surprise them with obscure and difficult questions!
In my experience, the auditor does not typically ask direct hard-hitting questions but works around the entire subject to gauge whether the interviewee has a well-rounded understanding. Ultimately they have done this a thousand times and they will be able to tell if your knowledge is where it needs to be.
In this instance, the auditor allowed one of our team to sit in with the interview process which helped provide that added comfort to the interviewee and provide the occasional steer when they went off on a tangent.
More than just an Action Plan
As I mentioned before, be mindful of the intentions and promises you make to the auditor because they are documented and they will come back to haunt you if not fully completed. I was advised that we needed a log or register to capture nonconformities and corrective actions as they occurred so I quickly built an action plan in a standard way to how I normally create one.
I’m not sure about everyone else but I’ve always undertaken an action plan in a fairly simple way:
1) Task Description
2) Assigned Owner
3) Date for completion
4) Completed Check Box
5) Comments section.
As a managed system that recognises the need for continuous improvement, this level of detail is unacceptable because it doesn’t give the organisation what it needs to move forward. In hindsight, your first point of call should be section 10 of the standard regarding corrective actions. In addition to the above your log or register must also include:
6) Root Cause – What specifically occurred for an issue or action to be raised?
7) Date Assigned – So the time taken to being closed off can be determined
8) Latest Update Date – So the time elapsed since the latest update can be determined
9) Rationale – The reason/s as to why this issue or action has been escalated
10) Correction – What did you immediately do to resolve the initial problem?
11) Corrective Action – How will you ensure that the issue or action will never (or is not likely to) occur or cause impact again in the future?
This is a classic example or separating the woods from the trees in relation to missing seemingly obvious points of improvement during the audit chaos. It is simple but an easy mistake to make when you are in the midst of developing a BCMS.
Cross-selling / Up Selling
Ultimately your chosen auditor is a business as well and they will need to either maintain or extend their business with you. I imagine that more often than not this is achieved through surveillance visits, scope expansion or recertification etc. However, if you look at ISO 22301 audit plan more closely there are a number of opportunities to cross sell similar standard registrations for things like information security management (ISO 27001), quality (ISO 9001) or environment (ISO 14001). I arrived at this particular point while the auditor raised concerns about the location and quality of fire extinguishers which in my opinion is important, but was a little left-field of the business continuity line of conversation we were having at the time. Whether this example was deliberate or not is beside the point but it does raise a valuable note worth remembering. You are not just being audited for ISO 22301; you are potentially being audited for new business once you let them in. It seems that from conversations with peers and colleagues that this cross-selling / up-selling technique is common business practice with many of the leading auditing bodies so maybe I’m just a little late to the party.
If you’ve never gone through a Stage 2 Audit like this before then it’s very difficult to know what to expect. You’ve worked so hard to try and ensure all the detail is in place but that alone is not enough. You need make sure the system works and more importantly provide tangible evidence of it working.
I personally feel that the key to stage 2 success is:
1) Communicate the BC Brand – Good News Stories, Case Studies of Lessons Learned, Face-to-Face contact time, Posters, Newsletters etc.
2) Well-Briefed Managers – Depending on their level of responsibility or anticipated role they need to have a workable understanding of what business continuity is to their organisation and department and how it works.
3)Finish your Homework! - Close off all or as many observations or nonconformities as you can to demonstrate the organisations commitment to improvement.
4)View the BCMS as a "Living Process" – Try to understand why each tool or document exists and how it feeds into other parts of the system. Try creating a process map to see how each of the elements are connected (mine ended up becoming more of a web diagram). If you genuinely cannot see the benefit or how it feeds into the process to provide value then should it really be there?
Someone once said to me that there are people in every business who make an art form out of making things needlessly complicated whereas I have a skill at simplifying everything. I hope I have achieved a similar approach in describing this experience.
I’ve also taken a look at my blog-site statistics and all of my “Raising the Standard” chapters have received a wide audience already and I think it’s mainly down to a few factors:
Many professionals are actively going through the same process as we speak and naturally have an interest so they are keen to read up on it.
In my opinion, most of the people who rushed to become some of the first to get published on how to implement ISO 22301:2012 have simply stated the obvious or re-badged previous guidance from other standards. Not entirely helpful.
It’s easy to gauge the genuine appetite for ISO-related discussion (or indeed the absence of real guidance or advice) by joining the 1000 member-strong ISO22301 LinkedIn Group that has professionals from around the world searching for related templates and examples. I highly recommend you join the party. Sharing is caring folks!
The next stage for me and my organisation is legacy which I’m sure will be equally as interesting!