Meet Our Presenter. Equipping You For Success: An ISO Certification Case Study

Transcription

1 Equipping You For Success: An ISO Certification Case Study March 28, :45 11:45 am Maureen Roskoski, Corporate Sustainability Officer, Facility Engineering Associates, PC Meet Our Presenter Maureen K. Roskoski, CFM, SFP, LEED AP O+M, Business Continuity Lead Corporate Sustainability Officer

2 About Us Engineering & Facility Management Consulting Firm Small Business 50+ Employees Three Main Offices Fairfax, VA Denver, CO Santa Rosa, CA Importance of Standards Weights and measures [standards] may be ranked among the necessaries of life to every individual of human society. They enter into the economical arrangements and daily concerns of every family. They are necessary to every occupation of human industry. JOHN QUINCY ADAMS Report to the Congress, 1821

3 Why ISO Certification? Assurance of continuity of our business Achieve a recognized global benchmark Meet customer demands What is Important to Your Organization? Reduce risk of business interruption Provide full service to our clientele Increase competitiveness Protect reputation and brand Protect our assets and safeguard our employees Why ISO Certification? Adding Value While Improving Performance 01 Manage Risk ISO Certification Process 02 Maintain Focus 03 Integrate Processes

4 ISO Standard Structure and Content of ISO Clause 10: Improvement Act Plan Clause 4: Context of the Organization Clause 5: Leadership Clause 6: Planning Clause 7: Support Continuous improvement Clause 9: Performance Evaluation Check Do Clause 8: Operation ISO Business Continuity Management Systems Context of the Organization External & Internal Issues Interested Party Requirements Establish Scope Legal & Regulatory Requirements BC Management System Planning Risks & Opportunities Plan Address Risks BC Objectives Planning Horizons Operation Processes Business Impact Analysis Risk Assessment BC Strategy BC Procedures Exercising & Testing Improvement Nonconformity Corrective Actions Root Cause Analysis Continually Improve Leadership Management Commitment Resource Commitment Establish & Communicate BC Policy Relevant Roles Responsibility & Authority ID & Secure Resources Competencies Awareness Communications Information Required Support Performance Evaluation Measurement & Monitoring Evaluate Performance Internal Audit Management Review Communicate/Act on Results

5 Organization What Is Included? Locations, Services, etc. 04 Context of the Organization External & Internal Issues Interested Party Requirements Establish Scope Legal & Regulatory Requirements BC Management System What Are Your Legal Requirements? Business Continuity/Incident Response Who Are Your Stakeholders? Internal and External 9 Leadership Policy 05 Leadership Management Commitment Resource Commitment Establish & Communicate BC Policy Relevant Roles Responsibility & Authority Governance Teams Who Is In Charge During An Incident?

6 Program Setup 05 Leadership Planning Actions To Address Risks & Opportunities Ensuring BCMS can achieve its intended outcomes 06 Planning Risks & Opportunities Plan Address Risks BC Objectives Planning Horizons Ensuring business continuity objectives are established & communicated

7 Business Continuity Objectives 06 Planning FEA Business Continuity Management Systems Objectives: 1. Improve FEA's ability to continue to provide prioritized services to our clients and support services to our employees. 2. Grow business continuity services Aligned With a Balanced Scorecard (Clause 9) 3. Communicate BCM Strategy and Objectives clearly and consistently to reinforce across FEA culture Support Competence Needs Gap Analysis Training Plan 07 Support ID & Secure Resources Competencies Awareness Communications Information Required Competence Communication Awareness Awareness BC Policy Your Contribution Non Conformance Engagement Communication Messaging Frequency Procedures

8 Support Competence What are the necessary competencies for Business Continuity Professionals? How do you determine if persons are competent? 07 Support We Developed Our Own Business Continuity Competency Model FEA Business Continuity Competency Model 07 Support

9 Operation Business Impact Analysis Risk Assessment 08 Operation Processes Business Impact Analysis Risk Assessment BC Strategy BC Procedures Exercising & Testing Procedures/Plan Exercising & Testing Business Impact Analysis Key Steps: Interviewing key stakeholders Breaking services down in to key inputs, outputs, processes and steps Determining what is critical to continuing business 08 Operation Challenges: Logistics of interviews Changing the way we think

10 Business Impact Analysis What Are The Essential Functions Your Business Needs To Perform To Continue Operating? 08 Operation 1. Do you have internal customers that depend on this function? 2. Do you have external customers outside of the organization that this function serves? 3. Are there any regulatory or contractual requirements to this function? Business Impact Analysis Key Outputs From the BIA 08 Operation Department MAO Department Criticality Department MBCO Organization Criticality Organization RTO

11 Risk Assessment 08 Operation Loss of Facility Loss of Personnel Loss of Telecommunications Loss of Utilities Inform Strategy Determine Risk Appetite Prioritize Implementation Actions Risk Assessment 08 Operation Organizational Criticality & Risk Rating

12 Business Continuity Plan Processes 08 Operation Tactical Alternate Site Essential Functions Risk Management Business Impact Analysis Communications Plan Incident Response Plan Vital Records, Databases and Information Systems Strategical Succession Plans Delegation of Authority Devolution of Control Reconstitution Return To Normal BC Procedures Evacuation 08 Operation Shelter In Place Alternate Site Return To Normal

13 Exercising & Testing Engagement 08 Operation Tabletop Exercise Evacuation drills Situational awareness training Lunch n Learns Engaging with local authorities Performance Evaluation 09 Performance Evaluation Measurement & Monitoring Evaluate Performance Internal Audit Management Review Communicate/Act on Results

14 Performance Evaluation 09 Performance Evaluation Business Continuity Management Systems Scorecard BCM Strategic Objective BCM Strategic Initiatives Owner Metrics Target Current Status Management review of BCMS Program BC Lead BSC Reporting Once a Year Completed Improve FEA's ability to continue to provide prioritized services to our clients and support services to our employees. Conduct Gold, Silver, and Bronze Team review meetings Perform BC Exercise Perform IT disaster recovery review (Restore action to designated folder) BC Lead BC Lead % participation in annual meetings % participation in annual exercise 90% participation 90% participation IT BC Lead # of tests 2/year Conduct internal audit of BCMS program BC Internal Auditor # of non conformities 0 nonconformities 85% participation 72% Restore action performed twice (both unscheduled) 0 non conformities; some observations to be addressed Performance Evaluation 09 Performance Evaluation Internal Audit Planned intervals Ensures conformance to organization s own requirements Ensures conformance to ISO standard Ensures BCMS is effectively implemented and maintained Management Review Actions from prior management reviews Changes in internal & external issues BCMS performance Opportunities for continual improvement Required modifications of procedures and controls

15 Improvement Corrective Actions 10 Improvement Nonconformity Corrective Actions Root Cause Analysis Continually Improve Identify React Evaluate The 5 Whys PROBLEM: The stones in the Jefferson Memorial are deteriorating badly. WHY? The stones have to be cleaned very frequently. WHY? Pigeons leave too many calling cards. WHY? They feed on the heavy spider population. WHY? They are attracted by a huge moth population. WHY? The moths are attracted by the monument s lights during their twilight swarming frenzy. SOLUTION: Turn on the lights two hours later.

16 Improvement Continual Improvement 10 Improvement Act Plan Continuous improvement Check Do Our Results Organizational Criticality Employee Engagement Essential Functions Stage Certification 1 Benefits Culture Stage Change 1 Continual Improvement Recognition

17 How Can You Do This? Understand the Standard What does it require? Determine Scope What part of the organization? Determine Readiness What are we missing? Putting It All Together Critical Factors For Success: Management engagement Business Impact Analysis Balance detail with ease of use Relationships Employee engagement

18 Let s Connect: Maureen K. Roskoski, CFM, SFP, LEED AP O+M Business Continuity Lead Corporate Sustainability Officer maureen.roskoski@feapc.com

19 Equipping You For Success Maureen Roskoski, CFM, SFP, LEED AP O+M, Senior Professional Corporate Sustainability Officer Identify Benefits Implement System Engage Team Evaluate Performance

20 Identify Benefits Business resilience is the ability to rapidly adapt and respond to business disruptions while maintaining continuous business operations. Business resilience planning provides guidance for ensuring the ability to respond, resume, and restore to a pre-determined level of operation following a disruption. At FEA, we help our clients strive for resilience through comprehensive planning that takes a holistic and long-term view of the threats and their individual enterprise in order to ensure that the business is prepared to avoid, mitigate and recover from adverse events. But, what were we doing ourselves? Were we walking the talk? To make sure that we had an effective program, we decided to pursue certification under the ISO Business Continuity Management Systems standard. Our journey started in 2015 with a commitment from the FEA Board of Directors to allocate time and resources to our ISO certification. Certification can add value, but more importantly, adopting and leveraging standards can contribute to improved performance in most cases. By simply adopting standards, even without certification, organizations realize value in three key areas (Figure 1): 1. Manage Risk In a prioritized manner and consistent with organizational strategy, the business proactively manages risk, instead of simply reacting to it. 2. Maintain Focus The business continuity planning team achieves continuous commitment and improvement through planning and plan maintenance efforts. 3. Integrate Processes The organization benefits from a greater understanding of business continuity as it integrates preparedness into all critical processes. Adding value while improving performance 01 Manage Risk ISO Certification Process 02 Maintain Focus 03 Integrate Processes Figure 1. ISO Certification Value 2

21 Implement System The mission of FEA is to provide facility managers and owners with progressive and innovative solutions to engineering and facility lifecycle challenges. Thus, it is critical that FEA maintain a robust business resilience program to ensure the stability of operations and services for our partners, our community, and our clients around the world. Like many organizations, FEA had some documentation related to what to do in the event of an emergency. We had evacuation procedures and were confident we could get everyone out of the building if needed. But what happens as everyone is standing in the parking lot and we are told we can t get back in to the building for a significant period of time? We needed a plan. We used the ISO standard to build a management system. The standard provides a good framework for developing not only a business continuity plan, but a full management system, framed around the Plan-Do-Check- Act cycle (See Figure 2). Figure 2. Plan-Do-Check-Act Cycle Act Continuous improvement Plan Through the ISO certification planning process, we expanded Check Do our organizational resilience in clear and tangible ways by creating, implementing, and training on business continuity and emergency response procedures. Effective business resilience planning includes critical elements that became evident to us as we went through the ISO certification process including: 1. Management engagement Engagement with leadership is crucial to generate enthusiasm and gain support for allocation of employee time. 2. Business impact analysis (BIA) This effort allows you to truly identify the critical processes that are needed to continue to function and how soon you need them up and running. 3. Balance detail with ease of use Plans and procedures need to be detailed but also need to be user friendly and easy to implement. 4. Relationships Relationships with local emergency authorities and our certification body enhanced our certification process. 5. Employee engagement Everyone plays a role in business resilience so everyone needs to be aware and engaged in the process. 3

22 Engage Team Other tangible outputs of our planning process were the employee handbooks that we created. First, our "Safety 1st" handbook, outlined specific procedures to follow in many different emergency situations. Second, our Readiness Handbook, was a user-friendly short guide that combined the most important points of the emergency preparedness procedures and our business continuity procedures. These handbooks were great engagement tools, provided procedures to exercise, and continually serve as reminders to employees of what their responsibility is during a particular event. The certification is a great achievement, but the journey to certification, although challenging, was by far the greatest benefit. By documenting competence, raising awareness, and actively communicating with all FEA employees, we invigorated a core team of business continuity professionals, engaged with our employees companywide, and created a culture of organizational resilience. Employee Engagement Competence Needs Gap Analysis Training Plan Awareness BC Policy Your Contribution Non-Conformance Communication Messaging Frequency Procedures 4

23 Evaluate Performance ISO requires exercising and testing of your management system procedures. This allows us to test them, see if they really work and get our teams used to the process and practice their roles. Since we hopefully don t have emergencies often, we need to practice our specific roles. We conducted a FEMA table top exercise which consisted of an event with warning Hurricane Zoe. Conducting exercises provided an opportunity to expand relationships with local community and government agencies. We involved property management, as well as local police and fire officials throughout the process. In order to ensure our management system is effective and meets both ISO standard requirements and our internal needs, we implemented these practices: Internal Audit Planned intervals Ensures conformance to organization s own requirements Ensures conformance to ISO standard Ensures BCMS is effectively implemented and maintained Management Review Actions from prior management reviews Changes in internal & external issues BCMS performance Opportunities for continual improvement Required modifications of procedures and controls FEA pursued the certification to strengthen our organizational resilience and to enhance our ability to continue our business during a disruptive event. We achieved ISO certification under the Business Continuity Management Systems standard for FEA s Fairfax Office in January of Everyone at FEA, in all of the offices is part of Business Resilience. With our ISO certification, FEA has put into practice the system we advise our clients to implement to help ensure strong operational resilience, corporate governance, and crisis management planning. To learn more about FEA and Business Resilience, visit 5

24 How Can You Do This? Determine Readiness Business Resilience Model Determine the Scope Understand the Standard How Long Can you Afford to be Down? What Functions Are Essential For Your Operations To Continue? How Will You Continue to Analyze Your Risks Over Time? The process to achieve ISO certification starts with understanding the requirements of the standard and where your organizations stands. The ISO standard provides a framework to develop your business continuity strategy based on a foundation of business impact analysis and risk assessment. With requirements for continual improvement, the management system creates a reliable program. Ultimately, when appropriately planned and managed, the certification process can not only create an effective management system, but also build a culture of organizational resilience. Business Resilience DRJ SpringWorld, Tuesday, March 28, 2017, 10:45am Maureen Roskoski, maureen.roskoski@feapc.com Building a More Resilient Tomorrow Today