In a recent audit of a client’s business continuity program, an auditee in the company’s communications department who was responsible for the internal communications protocol, offered up – when asked – an improvement opportunity that he had identified a month earlier regarding the early warning process that they were currently following.
At the time I was auditing, the authorized procedure for providing notification to staff of an impending disruptive incident (an approaching sand storm for example) involved sending out a red colored alert message by email and SMS to all staff, at all levels, and to all locations and offices across the entire country in which they operated to warn staff of the coming event. In this case, the communications specialist had identified that by sending messages indiscriminately to everyone, staff whom would be unaffected by a localized event may become complacent of the little red notice’s importance and hence impacting the effectiveness of the procedure. The proposed solution was to review this procedure and to see if it could be improved upon by having the capability to target the messages to specific audiences.
In any management system audit, such an initiative is a very positive finding since it is evidence that continual improvement is in fact occurring, as indeed it should be if we are properly aligned with the subtleties of the process approach, PDCA model, and continual improvement mandated by all ISO management system specifications. In ISO 22301, this requirement basically falls under clause 9.1 Monitoring, measurement, analysis and evaluation for identifying the improvement and clause 10.2 Continual Improvement for taking action. However, it is the next step wherein many organizations often fall short, especially within those who have only recently established their shiny new management system and haven’t thoroughly come to grips with the complexities of the process approach. The next step is obviously to plan the improvement action; and the next audit question then, is likely going to be something along the lines of, “Please show me the plan!”
Unfortunately, organizations with a less mature understanding of the requirements of management systems and more importantly this PDCA culture think that by just fulfilling the minimum stated requirements of the standard that they are fully meeting their obligations and have a conforming management system. But this is not necessarily so, as auditors are not there to simply tick boxes, but rather, to audit the intention, implementation, and effectiveness of the management system – they’re auditing the process itself and there must be sufficient objective audit evidence made available to the auditor so that a determination can be made as to the extent of conformity to established requirements.
In the case of my auditee, the communications manager, he was unable to provide evidence, other than a few inspiring words and a couple of emails that had been largely ignored by the recipients, of any real commitment or support to actually implement the improvement that he had identified.
PDCA (Plan – Do – Check – Act)
The processes approach means that once the process weakness or improvement opportunity is identified (at the C – CHECK stage) then it should be evaluated, and if appropriate, acted upon (A – ACT). A decision to take action leads us back to the beginning of the cycle.. P – PLAN, and therefore, there should be audit evidence available in one way or another for the decision having been taken (who decided? Who authorized the action?), and planning of the improvement itself.
Not to get in to a discussion about documentation requirements, and it is true that a plan may not (or is not required to) necessarily be documented, records are still typically required to be maintained as evidence. The point is that there must still be objective evidencethat the organization is in-fact planning and that it is in control of its own processes, has management support, and that the necessary resources are committed for the process to achieve its objectives. A member of staff making the claim that he is planning to do something without then supporting that claim with something a little more tangible is likely to fall short in an audit and certainly doesn’t give an auditor any confidence. In terms of planning, there should at least be some clarity on the basics, which would include accountabilities and responsibilities, planned actions, a clear time-frame, and not forgetting.. an objective! (You are taking action to actually achieve something, right?)
In most other management systems there is still the age-old requirement for “Preventative Action” which does mandate clearly this need to record evidence of improvement planning; however, the days of a preventative action procedure are limited and as is the case in ISO 22301:2012, we now look to clause 6.1 “Actions to address risks and opportunities” for this requirement to “plan actions to address .. opportunities” and to “integrate and implement [these] actions.”
Conclusion
To ensure that you are getting the most out of your ISO 22301 internal and external audits, ensure that your management processes identify and include requirements for maintaining evidence of the management system’s effective implementation. It is generally a good idea to document any improvement plans and activities.
For implementers, it is wise to ensure that not only is the necessary documentation produced during the implementation stages of a certification project, but that management culture is also developed inline the process approach to management.
I hope this article has been helpful. Feel free to post questions or comments, or to share your own experiences or views on the topic.
