• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• BC Store
• Journal
  • About the BC & Resiliency Journal
  • Latest papers
  • Subscribe
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Training

Sign up for Continuity Briefing
Never miss a news story: signup for our free weekly email newsletter.

REGIONAL PORTALS
Continuity Central currently offers three regional business continuity portals:
North America
United Kingdom
Asia Pacific / Australasia

Use Google? Click the button to add Continuity Central news to your Google home page.
Get immediate news and information updates via our Twitter feed.

Auditing contingency plans

By Ken Koch

This article is aimed at facilities managers but is relevant to all business continuity managers.

“John Smith, facility manager for the XYZ Company, has been convicted of negligence today in the deaths of…” Believable news story? Yes it is, and it should be a call to action for all facility managers (FMs). More and more, natural and man-made threats continue to impact citizens and property while federal and state agencies distance themselves from supporting and even responding to crisis events. Prudent professionals must ensure that their properties, employees, and guests are well protected and prepared for any contingency.

Implementing a comprehensive contingency management plan may seem daunting, but it is simply an exercise in commitment—with continuous assessment and revision. Where many FMs err is when they place the plan up on a shelf, never to be looked at again...until years later during a crisis, when they find the plan to be obsolete and useless.

A critical component of assessing the effectiveness of any contingency plan is through auditing the facility regularly and identifying actionable items. Addressing these items and showing proof of continuous and rigorous audits will help defend against a charge of negligence in the event of a problem. As a bonus, the facilities staff will be prepared for any crisis event, and the FM will ensure that life and property losses will be eliminated or minimized.

Audits are not to be used as replacements for tests or training exercises. An audit is conducted to evaluate compliance with specific, measurable criteria. This evaluation can—and should—ascertain the validity of information within the plan and provide an assessment of personnel readiness. It is often based upon a sampling or snapshot view of the plan versus a review of a full contingency plan.

There are many methods for conducting contingency audits and, depending upon the maturity level of a facilities plan, they can include one or more of the following types.

The training exercise audit
While this type of audit is the most common, it is also one of the most misguided and often misses the intended purpose — an accurate evaluation of the plan and identification of gaps. An audit is best left to a third party to ensure an objective report of the performance of the plan and staff involved. Additionally, this allows all facility staff to partake in the drill in accordance with their designated roles and will better reflect the expected results during an actual emergency.

The report generated by this type of audit will identify deficiencies within the plan for the scenario tested, staffing level gaps, and training competency, and it should review the effectiveness of the test case. It will not adequately assess the completeness of a contingency plan, as it is focused on a single incident versus a sample analysis of the plan as a whole.

High level audit
This spot check audit should be conducted on a regular basis as part of a facilities preventive maintenance cycle. The goal is to flag the need to update the plan and/or staff for any changes.

Are all copies of the plan current and located where they belong? Did the gas company change names or phone numbers? Have the new water valves been properly tagged? Are there new employees who have not been trained on the relevant contingency procedures? With the changing seasons, what mitigation steps should be implemented that were not important before?

Answering these and many other relevant questions will ensure that the plan is in sync with the rest of the facility changes. Performing this type of audit reinforces the commitment to contingency management planning and ensures staff participation.

Detailed audit
These are generally performed by third party firms who will then issue a report on the results of the audit. Prior to engaging in a detailed audit, the FM must define the criteria.

With contingency plans, the criteria can range from benchmarking against industry standards for each facility type or comparing against other facilities under management by the organization. The results of a detailed audit can help improve non-audited portions of the plan and could identify when gaps could materialize in other sections.

Full plan audit
Best done upon the initial completion of a contingency plan (and then again on a reoccurring basis), these full audits will compare the contingency plan with the real world, identify gaps or areas to be updated within the plan, and help the FM prioritize future exercises. These audits also should be handled by an outside firm, since even well trained staff can overlook items due to familiarity with the facility and plan.

A full audit will review not just the plan, but it should also cover the environment and risks that could impact the facility. An assessment of how the plan addresses each risk should be included.

Conducting an audit will only identify areas of deficiency, gaps, and possible improvements. It does not fix them!

Any items identified in the report should be prioritized based on appropriate criteria such as cost, effort, or severity of the risk. The FM or designated contingency planner will then assign someone to address the issue, set a due date, and follow up to ensure that the plan has been adequately updated. The item should then be marked closed with the date noted.

After incorporating all of the identified items within the audit, this audit report should become part of the historical record section of the plan; then the version should be updated with new paper and electronic copies distributed to the appropriate locations.

Traceability of changes (and reasons for those changes) will help with future audits and plan revisions. Too often, the question “why did we…?” is met with blank stares. Something as simple as a change control trail could answer this question.

Audits should not be used as a means to train or discipline staff, but rather, they are tools to help everyone be better prepared in the event of an emergency. Crisis events will happen, and an organization’s response will be scrutinized. If the facility is well prepared and has drilled and performed regular audits with updates, the response should be appropriate and complete. The headline should read “John Smith, facility manager for the XYZ Company, is credited with....”

Ken Koch is the CEO and lead consultant for Business Resource Management, Inc. (BRM), based in Eagan, MN. He can be reached at kkoch@brmonline.com

•Date: 15th Nov 2007• Region: US/World •Type: Article •Topic: BC facilities

Tweet