ISO 22301 is an international standard which provides requirements for establishing and maintaining a Business Continuity Management System (BCMS). The standard can be implemented by organizations of any type and size, with the intent to protect business operations from incidents, be those natural, physical, cyber or economic. In other words, a BCMS enables an organization to be prepared for a wide range of unpredicted events, by implementing a detailed Business Continuity Plan (BCP), and assign the responsible persons for each scenario.
The list of reasons why an organization should implement and maintain a Business Continuity Management System based on ISO 22301 is long, but the basic and most important reason is that of making sure not to bankrupt or be forced to close the organization in a case of a disaster. For example, surveys show that the average IT downtime yearly for organizations can amount to a great loss, but one which is not visible at first glance.
CA Technologies conducted a study where it showed that the average IT downtime for companies in Europe and North America is approximately 14 hours yearly. While this does not seem like an event which might have significant consequences, when calculated, it costs a staggering $26.5 billion, which is to say an average of $150.000 yearly for each company. The case, however, is that some companies lose much more depending on their size and the nature of the products and services they offer, as well as their business operations.
The implementation of a Business Continuity Management System entails a series of actions and implementation of a number of strategies, policies and the conduction of a number of analyses. Some of them are:
Business Continuity Policy
Business Impact Analysis
Business Continuity Strategy
Protection and Mitigation Measures
Disaster Recovery Plan
Business Continuity Plan
Since ISO 22301 provides general requirements, one of the main components of implementing the standard is the understanding of the organization and its context. In practice this translates into getting to know the organization, its products and services, interested and involved parties (such as shareholders, suppliers, customers, employees and so on), crucial business operations, and importantly, threats that the organization is most exposed and vulnerable to.
Some of the benefits of implementing a Business Continuity Management System based on ISO 22301 include:
Ensure the continuation of business operations in case of disasters – This may include a scenario where the company is subject to a cyber-attack, such as a ransomware, DDoS (Distributed Denial of Service), different viruses and so on – or it may include a natural disaster, such as flooding, earthquakes, hurricanes, etc. A BCMS enables organizations to create and maintain strong response as well as recovery procedures, thus ensuring the continuation of operations and being able to continue customer service. The organization’s management will be able to quickly respond to the situation with the right mechanisms and instruments as well as measure the impacts that incidents have on business operations.
Safeguard profit and assets – An effective BCMS ensues the elimination or minimization of losses in case of disasters, and protects the revenue stream.
Maintain good reputation – An organization which has a BCMS in place is more trusted in the eyes of its customers, shareholders, suppliers or any other involved party. By being certified against ISO 22301, an organization instills confidence in its partners which strengthens business ties and opens possibilities for new partnerships.
Meet legal and regulatory requirements – The implementation of a BCMS based on ISO 22301 demonstrates that the organization is compliant with legal and regulatory requirements, and thus minimizes chances of penalties because of legal non-conformities.
Reduce risk-associated costs – ISO 22301 helps an organization identify potential risks which have a higher probability of impact. This way the management can identify which insurance is most appropriate for the organization and save on costs. Moreover, in case a disaster happens, the organization has the right tools to minimize the effects and thus minimize the costs of impact and be able to survive the disaster.
Gain competitive advantage – An organization which is certified against ISO 22301 stands above its competitors. In turn, this can be translated in, for instance, higher chances of winning public tenders as well as obtaining new, profitable partnerships.
ISO 22301 is a universal framework for implementing a Business Continuity Management System which truly helps organizations in their most difficult times. In a world where cyber defense has become a routine operation and natural disasters are more unpredictable and impactful than ever, it is crucial to be prepared for the difficult days a business might have, by investing in an encapsulating system which provides security, safety and protection of assets.
PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment.
About the Author
Julian Kuci is the Marketing Quality Assurance Manager at PECB. He is a graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.
Let’s talk about a new approach to internal auditing. I call it like to call it Risk Based Auditing.
To give you some background my company, FQM, undertake audits for our customers as well as providing internal auditor training. One of the issues we often come across is organisations that ‘pack-out’ their audit schedule throughout the year with unnecessary audits. What they tend to do is believe that they need to audit every clause of the standard. This is because that is what their auditor told them at the time of certification.
This is not correct. That external certification assessment really undertakes the audit of all the clauses.
What we suggest to companies is that they take a risk-based approach to auditing.
Most organisations will have a suite of either manual or a suite of processes or procedures that demonstrate how they comply with the requirements of the ISO standards. Whether that be a quality management system, environmental management system, a health and safety management system or a combination of those integrated together.
One of the key things we mention when we’re training internal auditors is that they should develop their schedule and their plan of auditing. This should be based on the risks associated with those different sections of the manual, processes or procedures.
What Do We Mean By That?
If a section of the standard or a document within your organisation is not a critical activity, then you don’t need to audit it. Instead, do a high-level risk analysis of your processes and try to understand which ones are critical. A little like what you would do when you do an analysis of your supply chain. You don’t put a lot of effort into checking and evaluating every one of your suppliers, but you do identify which one could potentially bring the greatest harm to your business. You should put more of your focus on them, you class them as your critical suppliers for example and you put the focus on ensuring that you manage them well. You are also likely to build up a relationship and work with them to minimise the potential of harm happening.
Therefore, you look at your processes, identify which ones are critical to your organisation. Often you will find that many of the critical activities are sitting in the key operational areas your production, your service delivery or your design areas.
Many companies, when they do internal auditing, audit the procedure in without reference to other areas. In other words, they audit in a “silo”. They do not consider how that process or procedure interacts with other processes or procedures within an organisation. It is important to recognise that often issues arise when passing from one part of the organisation to another.
When you look at your suite of procedures and processes it is important to recognise how critical they are to your business. Identify the ones which are most critical and start to put a little bit more focus on auditing those areas of the business and the interaction with other processes and procedures. By doing this you put a much more focused coherent approach to your internal audit process, and you can minimise the amount of internal auditing you do.
Risk Based Auditing
Many companies that we have seen just do too many internal audits simply to tick some boxes. They do this simply to be able to tell the external auditor that they have done 40 internal audits.
Personally, I would prefer to see 10 internal risk based auditing processes done on critical processes and identify areas of improvement.
If you use a risk-based approach to your internal auditing process, then you can justify to your external auditor why you audit these processes maybe possibly twice a year. This is in comparison to other processes in your organisation you may just audit once every couple of years.
This will give you far more detailed information, far more data to help improve how your business operates and drive your business forward.
FQM are delighted to have contracted with one of the leading Oil and Gas operators in the North Sea, (Neptune E&P Uk Ltd), to deliver a Quality Management strategy and planning program.
FQM completed the following annual audits on our clients throughout September:
TGP Landscape Architects and TGP North against the clause of ISO 9001:2015
123v against the clauses of ISO 9001:2015, 14001:2015 and 45001:2018
Anderson Bell Christie Architects against the clause of ISO 9001:2015
G3 Consulting Engineering against the clauses of ISO 9001:2015 and 14001:2015
Assist Architects against the clauses of ISO 9001:2015 and 14001:2015
Fugro Germany Marine against the clauses of ISO 9001:2015, 14001:2015 and 45001:2018
Cameron Presentations against the clauses of ISO 9001:2015, 14001:2015 and 45001:2018
APD Ltd against the clause 14001:2015
Walsh Brothers against the clause of ISO 9001:2015
FQM completed 1 to 1 Internal Auditor training on ISO 9001 and 14001 for one of our Architect clients Assist Design in Glasgow.
FQM completed on and offsite QHSE coordinator support for many of our clients throughout September. This service sees our team working within our client’s facilities, at offsite locations and sometimes remote at construction and other sites. This included the following:
– Equipment calibration and certification support for one of our Mango QHSE Compliance Software Clients.
– Support in document management for one of our Mango QHSE Software Clients
– Internal auditing support for one of our clients based across Aberdeen, Edinburgh and Glasgow
– Incident investigation and corrective action support for one of our Scottish clients
This month FQM were in Germany working with clients from the marine industry, assisting them in audits and improvements of their ISO management systems.
In September we were with one of our clients in the west of Scotland, discussing how our Mango QHSE Compliance Software can assist them in implementing and obtaining certification of an integrated management system against iso 14001 and iso 45001. This included a detailed tour of the clients substantial steel processing plant.
FQM this month continued our Mango QHSE Compliance Training and commissioning at one of our new London based marine clients (IMCA). Great to see the company starting to embrace the simplicity and benefits of Mango. We will be assisting them in moving forward with Stage 1 ISO 9001 in October with a plan to achieve full UKAS certification to ISO 9001:2015 by year end.
Have a look at what we have been up to in August below. It’s been yet another busy month at FQM – and we are looking forward to September.
Processplus achieve certification to iso 9001, iso 14001 and iso 45001 with the help of FQM and our Mango QHSE Compliance Software.
Lareine Engineering achieve ISO 9001 certification with the help of a new Quality Management System from FQM.
Internal Audits for Amosbeech looking at compliance against ISO 9001 ISO 14001 and ISO 45001 and any areas for Improvement.
Leadership coaching session with Amosbeech on our Mango QHSE Compliance Software
ISO 9001:2015 Gap Analysis Assessment by FQM at the International Marine Contractors Association in London.
Mango QHSE Compliance Software training with FPG, the Fire Protection Group in Linlithgow
Mango QHSE Compliance Software training with CPMS, the Construction Property Maintenance Services company that recently implemented our software at their head office in Erskine.
Internal Audit against the International Standards ISO 9001, ISO 14001 and ISO 45001 for 123V PLC. The UK leader in high quality carports, verandas and canopies for domestic and commercial companies.
ISO 900 and 14001 Implementation coaching with the leadership team at G3 Consulting Engineers in Glasgow.
FQM recently undertook a detailed Internal Audit against ISO 9001 at Albion Drilling Group in Stirling, a long established client using our Mango QHSE Compliance Software.
FQM undertook a detailed Internal Audit at Bracewell Stirling Consulting against the International Standards ISO 9001, ISO 14001 and OHSAS 18001.
FQM provided Health and Safety support to Brookfield Metal Recycling in Linlithgow, reviewing and updating their Fire Risk Assessment and Emergency plans, plus a detailed review, update and coaching on their operational Risk Assessments.
Mango QHSE Compliance Software training with i3 Energy, an independent oil and gas company with assets and operations in the United Kingdom at their head office in Aberdeen.
If you need assistance with any of the above – then please don’t hesitate to get in touch at firstname.lastname@example.org
New client – City Moves Dance Agency based in Aberdeen contracted with FQM for HS Support – this commenced with an initial HS Legislation GAP analysis carried out by our Calum MacDonald under our HSE Managed Services
FQM carried out the first Mango QHSE Software Training session with Commercial Property Maintenance Services. Established in 1996, Commercial Property Maintenance Services has gained its enviable reputation by providing a full and comprehensive range of property facilities management, building services, construction and maintenance solutions.
Successful certification audit to ISO 9001:2015 for long standing client George Brown and Son’s Quality Management System. George Brown & Sons Engineering have been offering engineering services to a wide range of companies throughout the UK and beyond since 1828. They operate departments specialising in engineering services, ship repairs, automotive engineering and lifting and testing.
ISO 9001:2015 and ISO 14001:2015 Integrated Management Systems Audit at Russell Leisure in Edinburgh. This company is one of the oldest playground companies in the UK with over 30 years’ experience creating play areas for both public and private sector.
An Internal Audit was carried out of Lareine Engineering’s new ISO 9001:2015 Quality Management System.
If you’d like to hear anymore about the services that we offer, please get in touch. We’d be happy to help.
Ask a supply chain expert where things become most challenging and more often than not they’ll point to supplier and contractor management. Supplier management is a fundamental component of any decent compliance system, however it’s an area that many organisations only pay lip-service to.
Understanding your supplier management weaknesses
Before using a supplier, many organisations will ask them to complete a self-assessment questionnaire, made up of general questions with yes/no answers. Questions such as “Do you have a quality system?” and “Are you certified to ISO 9001?”
The thing is, it’s far too easy for us to view our organisation in isolation: a self-sufficient entity. We focus inward. We see our systems, behaviours and practises comprising of what happens on our own patch. This generates a thought process that goes something like: “We’ve got enough on our plate without worrying about our suppliers’ problems!”
It’s a fact that in many industries that a significant portion of a company’s cost of goods/service is typically externally purchased or supported from contracted services. In some industries that rely very heavily on contracted support this can be as much as 70% to 80%. There’s a lot of risk sitting in these numbers…but also a lot of wonderful opportunity.
You can send out questionnaires that will (barely) meet the quality standard, plenty of organisations continue to do so! Sooner or later however, a supplier will have a negative impact on you and your customers. The second this happens, your reputation is put at risk.
The bottom line is, that you’re going to have to get proactive and, whilst there’s no silver bullet, it’s really not that hard to work with your supplier to get the assurance that you have in fact appointed the right company, you just bring some focus and discipline into things. Here’s how to get started…
There’s a lot of buzz regarding ‘Engagement’ but forget all that and simply take it the way it reads in the dictionary. We are meaning ‘to become involved’.
Adopt the mind-set that you are in a partnership with your suppliers and contractors. Partners naturally help each other out and want to bring the best out in each other. Think of yourselves as being on the same team, a team whose ultimate goal is to delight your end-customer.
Spend a little time identifying your top ten most critical suppliers or contractors. Choose them based on risk: what impact do they have on your company and the end-customer? How many non-conformances, accidents or complaints have been reported about them in the past 12/24 months? What activities do they undertake for you, or what products do they provide to you? Is there a potential problem just waiting to happen?
Set up a meeting with your supplier, to outline what you’ve identified and importantly, what their impact could be on your company and your clients. This doesn’t have to be face to face but in terms of building relationships the benefits of visual and verbal interaction are difficult to beat.
Before the meeting takes place consider what additional information you need about the supplier. What could they share with you to provide you with that comfort and assurance? You may want to undertake an audit, or simply a visit to see them in action on a site. Perhaps it’s the details of previous audits or the story they can tell of how they’ve handled previous non-conformances or audit findings that puts your mind at ease. There are many ways to approach this, but you need to identify the method that works for you and to have the supplier on side…remember that word, relationship!
Does the following statement sound familiar? “We’ve always used them, they’re great, they do exactly what we ask them to do and they know exactly what we want from them.” Is this a fact or a feeling? You may wish to reconsider what this ‘feeling’ is based on. Is it because someone that worked in our compliance department some time ago, said so? Sometimes you have to hear it with your own ears and see it with your own eyes, simply to be satisfied that things really are as you would expect them to be and to take the opportunity to look at improvements, how things might be done better, not just as they’ve always been done.
Once a healthy relationship is established the chances to have follow up chats and outline areas of improvement, with input from both parties, are commonplace.
Too few organisations make supplier management a priority, but the ones that do reap impressive rewards. Focus on supplier management and you’ll find risk is reduced because communication is open and two-way, meaning you are much less likely to be caught unawares – besides, you never know what else might come out of it!
When you are running a company that uses contractors and external suppliers, you need to make sure that you are managing them effectively. Occasionally, problems can arise, and you need to be ready to face them. Find out more about how to do this below.
Benefits Of Using Contractors
There are many benefits to using external resources like suppliers and contractors in a business. More businesses are realising this and are changing the way that they operate. As long as supplier relationship management takes place, businesses can benefit from expert services, lower costs and increased agility. You can also use contractors for their specialist skills while giving yourself more time to focus on the core business activities which you know you are good at.
Next, we are going to discuss some of the things that you need to focus on when managing these external resources.
When you are using contractors or external suppliers, you need to be able to manage them in a dynamic way. This requires a different type of leadership skills that you might need to work on. Improved leadership will help you to manage this effectively, but remember it’s a relationship, so you need to be able to take advice from suppliers as well as pass out instruction. The best leaders will always be willing to change and adapt to situations, even those which are identified and presented from outside your organisation.
Does your business have clear processes that are easy to follow? You need to make sure that everything is explained carefully to outside contractors to keep the business running smoothly. A key point to remember, when you write processes, they need to be understood by those that may not currently do the job and they should be simple to follow and implement. There is no use in having fantastic complex processes that people don’t understand, as they simply won’t be implemented or used. Many businesses these days consider adopting processes and practices that align with International Standards, such as ISO 9001 for Quality Management. These include supplier management and relationship, amongst other things and will provide you with a framework.
Risk assessment and management should be something which you are actively doing throughout your entire business. This is especially important when working with external resources to avoid any serious threats to your intellectual property, people, assets or your business processes. Effective supplier relationship management requires vital education on how your business operates and assessing your business risks regularly, including those imported in to the business from supplier is vital.
Using external resources can be cost-effective but only if you control your costs effectively. Think about how much you can afford to spend on these things and manage your budget accordingly. Consider how much this would cost you to undertake internally, ensuring to include all costs associated, plus management that may be involved.
Your HR policies might need to be adapted to accommodate the external staff that you are making use of. Think about how they differ from staff on your payroll, but don’t forget that if they are involved in higher risk activities for your business, you will need to take a level of responsibility to ensure the safety of them and others working around them.
If you are using external resources, then you need to have strict KPIs and SLA’s to ensure performance is managed effectively. Not only should you record the performance, but you should analyse it also, ensuring that areas for improvement are documented and driven through improvement plans with suppliers. But don’t forget that this should be a relationship, so the improvements could very much be on your side as much as the suppliers.
The final thing that you need to focus on is making sure that you have the right tools to make this work. Consider adding software that allows you to share knowledge and encourages collaboration for the best possible result.
Make sure to focus on these key areas if you want to make the most of any external resources that your company utilises.
FQM are delighted to welcome Julie McKee as Technical Assistant. Julie will provide first line support to internal FQM consultants as well as clients in the area of Mango QHSE Software.
FQM completed the following annual audits on our clients throughout November and December:
John Gilbert Architects against the clauses of ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007
Alex Nangle Electrical against the clauses of ISO 9001:2015 and ISO 14001:2015
Infographics UK Ltd against the clause of ISO 9001:2015
Storrier & Donaldson against the clause of ISO 9001:2015
FQM completed management system support / HSE support to several of our clients through our QHSE Services portfolio:
Cameron Presentations – carried out an offsite HSE Safety Inspection for one of their end clients in Edinburgh as part of our HSE monthly managed QHSE services support to clients.
Cameron Presentations, Edinburgh facility – carried out onsite Health and Safety Compliance Audit for our client.
Lareine Engineering – carried out an ISO 9001:2015 Internal Audit of their recently implemented and updated quality management system.
Amos Beech – carried out QHSE Internal Audit against clauses of ISO 9001: 2015
Kelton Engineering – have engaged with Kelton to support them with their 2019 QHSE internal audit support.
FQM are delighted to have been contracted by one of our existing clients, Albion Drilling Group (ADG), to expand our services. Having worked with ADG for a number of years and assisted them in achieving ISO 9001:2015 certification with the British Assessment Bureau, we have now been asked to provide our full suite of QHSE support services, where by FQM consultants will help ADG meet their legal requirements towards Health, Safety and Environmental compliance using our Mango QHSE compliance software.
FQM QHSE Coordinator Robbie Cairns completed further on and offsite QHSE support for many of our clients throughout November and December. This service sees our team working within our client’s facilities, at offsite locations and sometimes remote at construction and other sites. This included supporting our clients on the management of their Mango QHSE Compliance Software. This month that included, FPG, Alex Nangle Electrical and Processplus.
Currently training personnel on the use of Mango and beginning implementation of Mango based IMS (3-standard) with H L S McConnell, who are a respected industrial and commercial roofing contractor.
Our MD Chris Docherty has continued to be working with a large Oil and Gas operator with North Sea assets to undertake a strategic review of the UK operations management of Quality, through undertaking stakeholder interviews, system reviews and a detailed review of QA/QC support currently and for future needs and expectations.
Steel Alloys and Services – due to their recent expansion and relocation to new premises – FQM have engaged with Steel Alloys to provide them with Quality, Health, Safety and Environmental support utilising the Mango QHSE compliance software
Two new clients have subscribed this month to the Mango QHSE compliance software, seeing the benefits of it’s simplicity to use, cost effectiveness and all in one cloud based software – read our clients testimonials here.
The months of November and December seen Chris Docherty visit London a number of times to assist our client International Marine Contractors Association (IMCA) in achieving ISO 9001:2015 certification with our Mango QHSE Compliance Software. This was achieved with zero non-conformances from the UKAS Certification Auditor.
FQM achieved continued certification to ISO 9001:2015 through our surveillance visit from the British Assessment Bureau auditor.
Albion Drilling Group – our MD Chris Docherty attended ADG’s ISO 9001:2015 external surveillance visit from the British Assessment Bureau as the ADG appointed Quality representative to provide them with onsite support using the Mango QHSE compliance software throughout the audit. We are happy to report that ADG received a clean bill of health and full certification remains in place.
FQM are delighted to continue to provide Quality Support to top Scottish security company DSD Scotland, whereby we ensure they are meeting all requirements of ISO 9001:2015 to maintain their certification, through our Internal Audit programme.
Our QHSE Advisor Calum MacDonald carried out an ISO 45001:2018 GAP analysis assessment audit for our long term Aberdeen client Kelton Engineering. This audit was to provide the management of Kelton Engineering with confidence that they are prepared to achieve transition from OHSAS 18001 to ISO 45001:2018 and outline any actions to be taken.
FQM have been continuing our implementation and support of the ISO 9001:2015 Quality Management System with Mango QHSE Compliance Software at the International Marine Contractors Association (IMCA) at their London HQ.
FQM completed the following annual audits on our clients throughout October:
AMT Intercargo against the clauses of ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007
Bayne Stevenson Associates against the clauses of ISO 9001:2015 and ISO 14001:2015
Brookfield Metal Recycling against the clauses of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018
Assist Design Architects against the clauses of ISO 9001:2015 and ISO 14001:2015
FQM QHSE Coordinator Robbie Cairns completed further on and offsite QHSE support for many of our clients throughout October. This service sees our team working within our client’s facilities, at offsite locations and sometimes remote at construction and other sites. This included supporting our clients on the management of their Mango QHSE Compliance Software. This month that included, FPG, Alex Nangle Electrical and Processplus.
Our MD Chris Docherty has continued this month to be working with a large Oil and Gas operator with North Sea assets to undertake a strategic review of the UK operations management of Quality, through undertaking stakeholder interviews, system reviews and a detailed review of QA/QC support currently and for future needs and expectations.
One of our QHSE Advisors Calum MacDonald has continue to provide support to Aberdeen based dance company City Moves, in the areas of Health and Safety legal compliance. We work with clients of all shapes and sizes, but we have to say this is the first Dance company and it’s great to see them taking responsibility for their staff, customers and visitors.
We delivered out in-house ISO 9001:2015 Internal Auditor training to an existing client in Dundee, the successful Engineering and Racing company Agra Engineering.
QHSE can be seen as a difficult area to break into; the depth and breadth of this field linking arms with the veterans of compliance forms a formidable hurdle. However, six months on from beginning my role here at FQM, I feel as though I’m finally linking up.
When I first began, much of my time was spent building client management systems; analysing the data brought to me from site and attempting to build a picture of how each client works and how they would comply with the standards in their own unique way. Of course, this proved challenging as at the time I was still picking apart the ISOs themselves – though looking back, I can say the recent common framework invariably made things easier! Lastly, as the final layer on my learning cake; I had been tasked with shadowing on site visits and becoming adept with the QHSE Software Mango.
Attending site visits is my favourite part of the job. I was offered a window into the inner workings of a great many interesting businesses, and in some cases, began to see my office labours actually come to life. Most recently, I had a wee proud moment when two clients I had been closely involved with passed their certification – one with Mango and one without.
Its through these experiences that I learned an important lesson on coming to grips with Mango, and QHSE in general: participation is the key to success. Its only once I began to apply Mango, apply the standards and apply the site experience, that I was more confidently able to craft client solutions. And I’ve seen the same thing happen inside their businesses too. If everyone gets involved; signing-on the system, managing the modules, putting the processes through their paces – then you truly see honest improvement.
Although there’s still a lot to grasp before I can join arms with the compliance experts; going forward now I know where to focus my efforts. As I progress, I hope now to continue learning, engaging with clients and to take a more active role in the FQM team; ensuring that our clients continue get the very best support that we can provide.