Auditing contingency plans
By Ken Koch
This article is aimed at facilities managers but is relevant to all business continuity managers.
“John Smith, facility manager for the XYZ Company, has been convicted of negligence today in the deaths of…” Believable news story? Yes it is, and it should be a call to action for all facility managers (FMs). More and more, natural and man-made threats continue to impact citizens and property while federal and state agencies distance themselves from supporting and even responding to crisis events. Prudent professionals must ensure that their properties, employees, and guests are well protected and prepared for any contingency.
Implementing a comprehensive contingency management plan may seem daunting, but it is simply an exercise in commitment—with continuous assessment and revision. Where many FMs err is when they place the plan up on a shelf, never to be looked at again...until years later during a crisis, when they find the plan to be obsolete and useless.
A critical component of assessing the effectiveness of any contingency plan is through auditing the facility regularly and identifying actionable items. Addressing these items and showing proof of continuous and rigorous audits will help defend against a charge of negligence in the event of a problem. As a bonus, the facilities staff will be prepared for any crisis event, and the FM will ensure that life and property losses will be eliminated or minimized.
Audits are not to be used as replacements for tests or training exercises. An audit is conducted to evaluate compliance with specific, measurable criteria. This evaluation can—and should—ascertain the validity of information within the plan and provide an assessment of personnel readiness. It is often based upon a sampling or snapshot view of the plan versus a review of a full contingency plan.
There are many methods for conducting contingency audits and, depending upon the maturity level of a facilities plan, they can include one or more of the following types.
The training exercise audit
The report generated by this type of audit will identify deficiencies within the plan for the scenario tested, staffing level gaps, and training competency, and it should review the effectiveness of the test case. It will not adequately assess the completeness of a contingency plan, as it is focused on a single incident versus a sample analysis of the plan as a whole.
High level audit
Are all copies of the plan current and located where they belong? Did the gas company change names or phone numbers? Have the new water valves been properly tagged? Are there new employees who have not been trained on the relevant contingency procedures? With the changing seasons, what mitigation steps should be implemented that were not important before?
Answering these and many other relevant questions will ensure that the plan is in sync with the rest of the facility changes. Performing this type of audit reinforces the commitment to contingency management planning and ensures staff participation.
With contingency plans, the criteria can range from benchmarking against industry standards for each facility type or comparing against other facilities under management by the organization. The results of a detailed audit can help improve non-audited portions of the plan and could identify when gaps could materialize in other sections.
Full plan audit
A full audit will review not just the plan, but it should also cover the environment and risks that could impact the facility. An assessment of how the plan addresses each risk should be included.
Conducting an audit will only identify areas of deficiency, gaps, and possible improvements. It does not fix them!
Any items identified in the report should be prioritized based on appropriate criteria such as cost, effort, or severity of the risk. The FM or designated contingency planner will then assign someone to address the issue, set a due date, and follow up to ensure that the plan has been adequately updated. The item should then be marked closed with the date noted.
After incorporating all of the identified items within the audit, this audit report should become part of the historical record section of the plan; then the version should be updated with new paper and electronic copies distributed to the appropriate locations.
Traceability of changes (and reasons for those changes) will help with future audits and plan revisions. Too often, the question “why did we…?” is met with blank stares. Something as simple as a change control trail could answer this question.
Audits should not be used as a means to train or discipline staff, but rather, they are tools to help everyone be better prepared in the event of an emergency. Crisis events will happen, and an organization’s response will be scrutinized. If the facility is well prepared and has drilled and performed regular audits with updates, the response should be appropriate and complete. The headline should read “John Smith, facility manager for the XYZ Company, is credited with....”
Ken Koch is the CEO and lead consultant for Business Resource Management, Inc. (BRM), based in Eagan, MN. He can be reached at firstname.lastname@example.org