Earthquake! How effective was your company’s response?

On April 16th, an earthquake measuring 7.8 hit Iran and its effect was felt across the region. In this post I want to consider this real world example and delve deeper in to the topic of management system “effectiveness”.

I’ll try to explain what is meant, and what is to be expected of an effective risk-based management framework such as an ISO 22301 (BCMS) or ISO/IEC 27001 (ISMS) management system, and I’ll apply the concepts to two case studies to better illustrate these points.

The Response

At the time the earthquake hit, I was working from my home office just off of the Dubai coastline. I felt the floor rumble and move under my feet, but it was only for a  brief couple of seconds. At first I was confused, then the idea that it could be an earthquake hit me.. fear struck me, briefly – I’m more than 25 floors up!

A deep breath in and my brain reactivated, I figured that perhaps it was just the construction going on outside.. Maybe I imagined the movement of the floor? I looked around and saw that the light on the ceiling was swinging around; it was real alright.

I dashed to quickly grab my passport, phone and wallet, I should evacuate… shouldn't I? But what do I do – take the stairs? That’ll take me about 10 minutes or more to get down to the bottom, if things are going to go, then that’s too long. Do I risk the elevator? We’re not supposed to use the elevator in a fire.. but this isn't a fire so maybe I can I use it now to get out quickly? It might be worth the risk.

There was no alarm or evacuation alert in my building, so I gathered my thoughts and again wondered if it was indeed an earthquake – I've never experienced an earthquake before. As I started thinking more about what I should do next I also started to second-guess my first instinct to evacuate. Maybe its safer to stay here? Besides, aren't these buildings designed to withstand such events? Surely they are?

10 minutes on and I still hadn't left the building. Now my nerves had reordered themselves and I have talked myself down from my confused and fearful state of mind. I’ve felt nothing else since the first rumble so now I’m going to wait and see what happens next. Its probably all over, nothing more than a little tremor, so I sit back down and Google “earthquake Dubai”!

Elsewhere in the UAE, one Dubai school has completely evacuated and sent all its students and staff home. The school closes its doors for the next day too, whilst an expert checks the structural integrity of the building to give the all-clear. Other schools remain open and continue to operated as usual, apparently unconcerned, whilst the roof of a shop in Ras Al Khaimah collapses and reminds us that the potential for a loss of life is not altogether unrealistic.

Employees of some companies evacuate and spend an hour or so on the streets. Others remain inside, hidden under tables; and yet others appear completely oblivious to the event and continue to work, its business as usual.

These are just some of the responses I've learned about over the last couple of days from personal experience, news reports, friends, and colleagues and its interesting because here in the UAE earthquakes are a pretty rare event. Given these examples, what I want to consider next is how companies with formal management systems in place should be behaving after such an event and to consider what an effective management system actually looks like.

The Management System

First off, where and how does this all fit into our BCMS, ISMS, OHSAS etc picture? Well in the grand scheme of things this is all about “checking”. It’s too late to be “planning” our response (creating the earthquake evacuation plan), since it already happened, and what should have happened during the earthquake event was the “doing” or “implementation” part (staff evacuating according to the plan). Now we are going to look back after the event occurred, i.e. post-event, and we’re very keen to know if the the plan was effective – i.e. did everything go according to plan and did the plan work as expected.

For a quick self-evaluation, ask yourself the following question. If your answers are similar to mine, whether yes or no, your management system is probably working, at least to some degree, as it should be.

The question is: Did you consider “earthquake” in your risk assessment?

If no:

- Have you since reviewed your risk assessment and updated it?

- Did you ask yourself why it wasn't included?

- Are there other risks that you may also have overlooked? Are you resolving this?

- Are those doing the risk assessments competent to do so? Why did they miss this?

If yes:

- Did you have a plan in place to respond to this type of event?

- Did everyone follow the plan knowingly and correctly?

- Did the plan work as expected? Can anything be improved?

- Did you review your risk assessment assumptions (e.g. likelihood and impact)? Do they need tweaking?

- If you identified the risk but management decided that there was no need to implement a plan, do they still feel the same way?

All management systems tell you to PLAN –> DO –> CHECK –> ACT (PDCA), so embedding this process-approach in to everything that you do is fundamental to having an effective management system. The above question, leading to answers of either yes or no, and on to further questions that lead you to identify improvement opportunities, demonstrate effectiveness. You are required to check to identify your weaknesses and/or failures and act on them to improve. Doing so means “conformity” to a standard’s requirements. Doing nothing means “nonconformity” to a standard’s requirements.

Not every company would have considered earthquake as a risk in Dubai, it happens rarely, but it does happen and therefore should likely have been identified. However, if now the risk assessment has been reviewed and updated, and a response plan is being developed, then the outcome is improvement and is evidence of a management system that works.

Those who think they comply just because they have a plan, and the plan was followed, but didn't conduct a post-incident review, will likely fall in to the non-conforming group.

So the bottom line is that: an effective management system is one where management continue to identify improvement opportunities and act on them. A ‘real’ event, like an earthquake, is invaluable in this improvement process.

Case Studies

Let’s take a step back and speculate on the management systems (whether formal or informal) of our schools from earlier.

Case 1

First up, the school which closed its doors and did a thorough check of the integrity of the building, Repton Dubai in this case. This is an expensive school to attend and its policies and reaction to the earthquake demonstrates to me a very risk-averse, safety conscious management team. Given that the school did not even feel the tremors  it  may be considered by some that the response was excessive and costly. Clearly, by sending children home early from school and keeping them home the next day without prior notice, there will be a significant impact on many parents. But then, what would have been the impact if they had not responded in such a way and the roof were to collapse? All questions I would assume/hope were asked and answered by the school, prior to the event (?!).

Regardless, here is the result of their response plan, criticisms from parents who were not happy about the way in which the school responded (as reported in a 7 Days newspaper article):

“I’m amazed,” said one. “The building’s only four or five years old and three stories high.”

“Is the building structure really that poor they think it’s going to fall down?”

“It’d be nice to get a refund for the day, thank you very much.”

What those parents might have otherwise had to say if instead the school roof had collapsed on to their children is something I hope we never have to read, but anyway, I get their point.

So what do we have? Here is a school that reacted quickly to a potentially disastrous scenario but came under fire from “interested parties”, in this case, the parents. Clearly there is room for improvement here. It might be that the school did not communicate effectively when establishing the response plan. Consultation, transparency, communication, awareness, are all words that spring to mind. It seems that there is no requirement from the Dubai government to respond to an earthquake in this way since others schools remained open so this is a choice that the school has made for themselves. So let’s ask a question:

Was this reaction planned, or was it a knee jerk reaction?

It’s very possible that there was no risk assessment and no formal planning and this response was managed on the fly. If this is the case, the next thing to do would certainly be to recognize that the failure here was in not identifying the risk and subsequently preparing an appropriate response plan.

Parents played a key role in this response (they had to be at home or to make alternative arrangements with no notice and no support from the school) and where completely unaware of how the school would respond prior to the incident. A recipe for parental lash-back. In fact, on the day of the earthquake, children were sent home early, and notification of this was sent to parents by email only so depended heavily on parents checking emails and making the appropriate arrangements at the last minute. Thanks to inadequate communications planning and awareness as a part of the response plan, the school has taken a hit on its reputation.

If the response was formerly planned as a part of a business continuity management system, then the issue is similar, with the need for consultation, awareness, and communications looking to be a key candidate for improvement.

Case 2

Let’s look at two schools which responded in a different way, Gems Education and Taaleem, who both did nothing.

It turns out, it seems, that this was a good decision. The school didn’t collapse, and there are no parents asking for their money back. In fact, “doing nothing” is a valid and common business continuity strategy. However, the question here is:

Was the decision taken by an informed  management team based on proper planning and preparation or was it simply afright response similar to my own reaction in my apartment tower?

Let’s hope it was an informed and educated management decision as we don’t have to look too far back too see why these processes, as described in ISO 22301 and other standards, are so important! The Qatar Villagio nursery fire incident of 2012  is a shocking example of management failure at multiple levels and a prime example of why having an effective management system, and not just ticking boxes for compliance purpose, can be so important.

Conclusion

To summarize what I am highlighting here, management system effectiveness is an implied expectation of all management system standards.

Just doing something for the sake of doing something will lead to nonconformance because you are required by these standards to systematically: plan and set objectives that define what you are trying to achieve; then implement the system to achieve those objectives; and finally, you must monitor and review your achievements and act on your findings to make improvements.

If you didn’t achieve your objective, what will you change? If you did achieve your objective, how can you improve? This is the essence of “continual improvement” and therefore, an effective management system.

---

Advice on earthquake response

I've included some references here for earthquake response planning and the following is an excerpt from the US government site www.ready.gov suggesting what to do during an earthquake. Both ready.gov and the main FEMA website are great sources for emergency planning.

Different countries may provide different guidance however, so always check with your own local authority for appropriate recommendations.

During an Earthquake

Drop, cover and Hold On. Minimize your movements to a few steps to a nearby safe place and if you are indoors, stay there until the shaking has stopped and you are sure exiting is safe.

If Indoors

• DROP to the ground; take COVER by getting under a sturdy table or other piece of furniture; and HOLD ON until the shaking stops. If there isn’t a table or desk near you, cover your face and head with your arms and crouch in an inside corner of the building.
• Stay away from glass, windows, outside doors and walls, and anything that could fall, such as lighting fixtures or furniture.
• Stay in bed if you are there when the earthquake strikes. Hold on and protect your head with a pillow, unless you are under a heavy light fixture that could fall. In that case, move to the nearest safe place.
• Do not use a doorway except if you know it is a strongly supported, load-bearing doorway and it is close to you. Many inside doorways are lightly constructed and do not offer protection.
• Stay inside until the shaking stops and it is safe to go outside. Do not exit a building during the shaking. Research has shown that most injuries occur when people inside buildings attempt to move to a different location inside the building or try to leave.
• DO NOT use the elevators.
• Be aware that the electricity may go out or the sprinkler systems or fire alarms may turn on.

If Outdoors

• Stay there.
• Move away from buildings, streetlights, and utility wires.
• Once in the open, stay there until the shaking stops. The greatest danger exists directly outside buildings, at exits and alongside exterior walls. Many of the 120 fatalities from the 1933 Long Beach earthquake occurred when people ran outside of buildings only to be killed by falling debris from collapsing walls. Ground movement during an earthquake is seldom the direct cause of death or injury. Most earthquake-related casualties result from collapsing walls, flying glass, and falling objects.

If in a Moving Vehicle

• Stop as quickly as safety permits and stay in the vehicle. Avoid stopping near or under buildings, trees, overpasses, and utility wires.
• Proceed cautiously once the earthquake has stopped. Avoid roads, bridges, or ramps that might have been damaged by the earthquake.

Source: http://www.ready.gov/earthquakes

---

Did you experience the earthquake? How well prepared do you feel you or your company was? Feel free to share your own experiences.

Note also that the schools and any references to other businesses mentioned in this article are for illustrative purposes only and not based on first-hand factual information. Maybe they really do have good business continuity management systems?!

ISO certification; how much does it cost?

ISO certification, how much does it cost to establish and implement a management system and to get certified? In this article I’ll try to answer an unanswerable question.

DIY – Do It Yourself

So the simple answer is that it can cost you anywhere from nearly nothing to lots and lots. Let’s start with the DIY approach.

The cheapest way to do it is to do it yourself. Buy a copy of the relevant standard, read it, and away you go! Its not rocket science and many companies do this. If you know nothing about these standards in the first place however, it will likely take a lot longer than it could or should, and in some cases may cost you more if you end up doing or implementing things that you don’t need to do or implement.

There’s also the possibility of failing the initial certification audits. But, in theory, this will cost you around $200 or less, plus the costs associated with the certification audit.

Templates

In keeping with the low cost approach, since all management systems require certain documentation, it is often a good idea to purchase some standardized templates for customization.

This can save a lot of time, effort, and also go a long way to help ensure that you are doing and documenting the important stuff.

Template quality will vary and cost likely go from being free and up in to the $1,000s. Once you purchase your templates you’ll have to spend time customizing them to fit with your own company.

However, without expert knowledge this can still be a huge leap, time consuming, and you can still potentially fail an audit if something is wrong. Still, you’re now spending somewhere around $1,000, plus the certification audit fees, and you will eventually get certified. Its not a bad deal!

Training

Adding to our budget approach, let’s consider training. Most companies who undertake a certification project will send key staff for “implementation” training, management and others will often undertake a shorter course at the “awareness” level, and then there is the more specific knowledge and skills of internal auditors who are sent on “internal auditor” or  ”lead auditor” courses. There are other types of training, but these three categories are pretty core to most implementation projects. As a generalization, all are necessary; however, none are explicitly required.

If you were to do only one course, I’d highly recommend an auditing course. The reason is that the knowledge and skills relating to audit are not obvious to your typical member of staff, so when you select your [uninitiated] internal audit team they’re likely not going to have any idea what it means to plan, conduct, and report an audit.

For the implementer (or project manager), you can pick an awful lot up about what is expected of a management system and how an external certification auditor will view your management system from attending an audit course; as well as learning the skills specific to auditing too. Another good reason is that although it is not required by any of the standards, some certifications bodies expect internal auditors to have been formerly trained, pointing to the competency requirements. So if you can attend one course and one course alone… hmm, but an implementation course is invaluable too!

Clearly, costs associated with training have the potential to dramatically increase the budget, with publicly run commercial courses selling in the region of $700 – $3,000 per student.

So, a generalized and minimal expectation for a reasonable sized project for training might be as follows:

1. Project manager/lead implementer: 1 day awareness training course; 2-3 days implementer training; 2 day auditor course.
2. Internal audit team of two members: 1 x 5 day lead auditor course; 1 x 2 day internal auditor course.
3. Top management and senior staff: 5 x 1 day awareness course.

Total budget estimate for commercial public training: $12,000 – $15,000.

Note that many companies will be able to offer in-house training and with large numbers often provides for a cheaper option than public training. Online training is also a good option when looking at generalized ISO training options.

Consultants

We've seen to this point that with a bit of effort and self discipline your implementation and certification project can be achieved under your own steam and at a reasonable cost. However, for a first timer, its not always easy, so an additional cost that many organizations traditionally opt for is that of the consultant.

The idea of bringing in the consultant, at first suggestion, might appear to be an expensive option, but this is not necessarily so; though it will depend very much on what the consultant’s role will be and of course their pack numbers, as well as, and probably most importantly, their level of competence.

Here’s a couple of reason why a well selected consultant may be useful and could save you money:

1. Experience and in-depth knowledge of the standards and requirements for certification and the audit process. A good project plan will be focused on completing all of the necessary steps to achieve your policy goals and certification; no less, and no more, unless you specifically require it. In comparison, many internal implementation projects often drag on for much longer than necessary, so projects last longer and could cost more.
2. Consultants will often deliver most, if not all of the required training as a part of the implementation project. This means that typically more people will be trained for less cost.
3. A knowledgeable consultant will be able to guide you with regard to any purchases, such as for equipment, hardware, software, facilities, etc. This is no small point. I have personally seen companies spend extortionate sums of money over and beyond what they should be spending based on ill-judgement or worse, poor consulting advice! Most companies have everything they need, anything more is an improvement.
4. As we will see later in this article, a poorly defined certification scope could cost you dearly by potentially doubling or tripling your audit costs. A competent consultant should help to define a scope which includes everything as necessary, but not necessarily includes everything!

The cost of a consultant, like everything else, can vary exponentially. But to have an idea what we are talking about, there is the hourly or daily fee, x the number of consultants, + logistics, expenses, etc, etc, and consultants being consultants will often quote for as much as they can grab of your project, even offering to do all of the work for you (not a good idea!). But to generalize from personal experience, a good consultant will typically take on the role of a project manager, provide guidance and advice, deliver all necessary training, plan and lead the first internal audit, provide support and transfer knowledge throughout the project with an average day rate being somewhere between $400 and $1400 per day plus expenses. The big brand type consulting firms could be a lot higher. And of course this all depends on many other factors, such as location in the world, consultant experience and competencies, and the standard you are implementing.

To put an estimate out there, for the total consultancy cost based on my own projects and experience, time spent on a typical  project has averaged 20-25 consulting days (one consultant) for an entire project; that is from beginning through to successful certification. That’s what I would consider typical and less typical projects have included 4 man-days over a two month period and on the bigger scale, 40 days over a 9 month period.

Let’s estimate a total then of somewhere around $8,000 - $25,000 for our consultant on a small/medium sized project. Apparently more expensive than the DIY approach, although not necessarily so. As mentioned previously I’ve seen companies who have spent more than $100,000++ on things that they would not have spent on given the proper advice!

Other Ad Hoc Implementation Costs – The Unknown Factor

Depending on the management system you are implementing, be it ISO/IEC 27001 for information security, ISO 22301 for business continuity, or ISO 9001 for quality management, there may be additional costs that will come up for things like equipment, hardware, software, etc. However, these costs are difficult to predict before starting the project, especially for an outsider. Never-the-less, it is certainly a good idea to budget an amount to cover these unknowns, but difficult to know exactly how much will be enough.

Once you have established your management system policy, scope, and objectives, and conducted a thorough gap analysis, potential costs will become a little more clear. In general, the more you can budget in, the better.

The reality is that you likely won’t need it all. Why? Well these unpredictable costs often become evident at the point of the actual implementation, and the implementation of a management system basically all about going about your everyday business and doing what you've said you are going to do. Translated, most organizations already have what they need to do business! In most cases, it is unlikely to be the case that anything significant is missing from the mix.. otherwise you would have gone out of business and closed down before reading this post. This is probably true to a greater degree with quality management, and to a lesser degree with a badly run company implementing business continuity management. But as a generic statement to an internet audience of a couple of billion, its probably about right.

The point is, none of the standards actually require that you purchase anything in-particular, they simply tell you to spell out what you are trying to achieve and demand that you implement a management system in whatever form suits you, as long as it works. That means, you still call the shots! Standards do not require “perfection,” and it is time not well spent trying to achieve perfection when you first implement your management system. What is required is continual improvement, so you can consider a lot of your wants and desires as future improvement opportunities – something to plan for and to implement as a next step.

Remember, these standards specify requirement for management processes and control, not retina-scanning devices, remote hot-sites, and state of the art machinery.

In summary, this is where a misinformed or misled organization will often spend a lot of time, and even more money!

Budget under this topic will vary greatly of course, but a small/medium business might consider amounts in the range of $5,000 – $50,000. This is entirely speculative and is provided as a fair guess; in most cases, a small/medium size business will be able to complete the project and achieve certification with very little expenditure from this purse, but its is of course always a good idea for it to be there in case it is needed.

Certification

The last $ on the list that I’ll mention here is certification (also known as registration). The cost of accredited certification is ongoing, and it starts with the initial certification audit. The certification audit is carried out in two stages;  the first stage is an audit of the documentation and the second stage is an audit of the implementation.

The stage one audit is typically conducted onsite in a single day by the lead auditor, but could be as long as two or even three days. The stage two audit is always conducted onsite and its duration could be anywhere from a single day to weeks, either with a single or multiple auditors. The team size and duration of these audits depends on things such as the management system scope, number of employees, type of business, and the organization’s geographic set-up.

Clearly the bulk of the cost here is in the number of auditors x the number of days. There are other associated costs, such as administrative fees, but these are small in comparison. Other large costs could be travel and accommodation if the auditor is coming from out of town.

It is also important to realize that the initial certification is not the end of the journey, it is the beginning, and surveillance audits will take place at least once every year to maintain the certification.

Expect to pay anywhere up to $2,000 per audit day for a reputable audit company. For a small organization then, let’s say less than 50 persons, you’re likely talking about a 2-3 day certification audit and 1 day surveillance audit per year for ISO 9001 certification. That tallies up to somewhere around $10,000 for a three year certification period.

Audit costs should be known quite early on. Once you have determined the scope of your management system and the associated staff numbers the certification body should be able to provide a quotation for the whole process. And don’t forget to shop around.

As you might imagine, correctly scoping your management system will be a key factor in managing costs.

Conclusion

So in summary, its hard to say exactly how much it will cost, but I hope I’ve pointed out some of the key expenses involved.

In most cases you won’t really know what the full extent of the cost will be until you get started with some sort of gap analysis. Perhaps you already comply and just have to bring in the certification auditors!

A last thought on costs though – the major cost of implementing a management system is time, effort, and commitment. No consultant can do the work for you (the auditor doesn't audit the consultant!). Everyone in the company will be involved and if management aren't on-board and committed, it’ll never succeed.

Feel free to comment with your own experiences and pricing knowledge, wherever you may be.