How Prepared is My Company ???
Have you ever asked yourself that question, or worse yet, been ask by a senior executive or the owner? We believe strongly that the only real way to answer that question is to have your preparedness plan audited, preferably by a qualified independent external auditor. We ran across a great article this month published by Preparedness, LLC and wanted to share some of the wisdom with you.
How capable is your preparedness program?
Will it protect the lives of your employees if there is a fire or active shooter in your building? Will the recovery strategies in your business continuity plan enable you to promptly resume operations when your building can’t be reoccupied? Will your communications plan enable you to quickly and effectively communicate with your customers and stakeholders as news of the incident is tweeted or posted on Facebook before the first responders even arrive? Is your program compliant with the increasing number of federal, state, and local regulations?
There are many misconceptions of what constitutes a preparedness program. Is it a disaster plan? Is it an emergency plan? Is it a business continuity plan? Is it a crisis management plan? A preparedness plan is more than a plan or plans. It is a management program custom designed to protect your employees, facilities, business operations, the environment, and your brand, image, and reputation.
The only way to determine whether your preparedness program meets the needs of your company is to conduct an audit.
What is an Audit?
The International Standards Organization (ISO) defines an audit as a “systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.
The International Professional Practices Framework published by the Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve and organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Regardless who audits your program, audit standards should be followed and national or international standards should be used as the audit criteria.
Planning an Audit
When planning an audit, decide what you want to accomplish. Do you want to know whether your program meets regulatory requirements? Does your program conform to national standards such as NFPA 1600? Maybe you want to prepare for an audit by your most important customer or business partner.
The audit objectives will help to identify the criteria that will be used to evaluate your preparedness program. The criteria may be internal company standards, or you may chose to use standards such as NFPA 1600 “Standard on Disaster/Emergency Management and Business Continuity Programs” or ISO 22301 “Societal security – Business Continuity Management Systems – Requirements.” These global standards provide comprehensive criteria for assessing a preparedness program.
If auditing to one of the global standards the auditor must be knowledgeable in the standards that will be used. Auditors must have subject matter expertise in emergency management and business continuity, demonstrated knowledge of your industry, and professional certifications such as the Certified Business Continuity Planner (CBCP) from the Disaster Recovery Institute.
A dialog with your auditor will help you determine the scope of the audit that will accomplish your objectives. Auditors must collect “evidence” to determine whether the audit criteria – the standard – have been met. Scope will include the components of the program that will be audited (e.g., emergency operations, business continuity, etc.), facilities that will be surveyed: the persons with responsibility for aspects of the program who will be interviewed; and program documentation that will be reviewed.
A successful audit requires advanced planning to ensure that representative evidence can be collected by the auditors. Planning should ensure that the following are available at the times specified in the audit schedule:
- Program plans (emergency response, business continuity, information technology disaster recovery, crisis management, crisis communications, risk assessments, business impact analyses, and prevention/mitigation strategies)
- Records of training, education, testing, drills, and exercises
- Access to facilities to become familiar with business operations, hazards, and assets at risk
- Persons who have a defined role in the program
- Senior management for an interview and to attend the audit’s closing conference.
Auditing Elements of the Preparedness Program
The auditor must gather and evaluate sufficient evidence to determine whether the preparedness program conforms to the selected criteria. The following are elements of a preparedness program that should be evaluated by auditors. These elements are takes from NFPA 1600 and best practices as defined by the Disaster Recovery Institute (DRI)
The success of any program is dependent upon the commitment, direction, and support of senior management. Auditors should assess leadership of the program. Auditors should also review the membership of the entity’s “program committee” to asses whether required input is provided.
Auditors should also evaluate program objectives, budget, and schedules as well as records management and change management practices.
Risk Assessment & Business Impact Analysis
An understanding of the hazards, threats, and risks that could impact life safety, physical assets, business operations, the environment, and the entity’s brand, image, and reputation is a critical foundation of the preparedness program. Prevention and mitigation strategies, emergency operations plans, and business continuity plans must address identified hazards and threats.
The Business Impact Analysis (BIA) gathers information for development of the business continuity plan. Prioritization of business operations, determination of maximum downtimes, and identification of the resources required for continuity and recovery strategies must be accomplished during the BIA
Prevention and Mitigation
Auditors should use the risk assessment and BIA documentation to assess whether opportunities for loss prevention and hazards mitigation were identified. Auditors must also review prevention and mitigation strategies, which identify how risks will be managed.
A preparedness program is no different than any other program. It requires numerous resources-funding, people, expert knowledge, training, facilities equipment, materials, technology, information, and intelligence. The auditor will asses whether the entity has conducted a needs assessment to identify required resources-based on hazards identified and the response and recovery plans that have been developed.
Alerting, Communications & Warnings
Alerting of team members and public emergency services as quickly as possible; warning of persons at risk; and the ability of the team to communicate will be assessed by the auditor. The reliability of systems and testing of protocols and procedures that dictate when and how systems are used will be reviewed.
The auditor’s review of emergency operations or response plan should determine whether procedures for foreseeable hazards or threats identified during the risk assessment have been included. Actions to protect life safety (e.g., evacuation, shelter-in-place, and lockdown), property conservation, incident stabilization, and protection of the environment will be reviewed. The auditor should identify whether team members have sufficient staffing, training, equipment and other resources to safely fulfill their functions and comply with regulations.
Business Continuity & IT Disaster Recovery Planning
Auditing the business continuity and IT DRP must determine whether business continuity and recovery strategies can maintain or restore critical or time sensitive functions and processes within the timeframe determined during the business impact analysis. The auditor must assess whether personnel, procedures, and resource requirements required to execute continuity strategies are or will be available when needed.
Crisis communications is more than interfacing with the news media. Communications with stakeholders is essential to protect brand, image, and reputation. The auditor will review crisis communication plans to determine whether internal audiences (e.g., employees, management, the board, etc.) and external audiences (e.g., customers, regulators, government officials and agencies, etc.) have been identified. Plans to be assesses include communication strategies, pre-scripted templates, and technologies to communicate customized messages to each identified audience during and after an incident.
Training, Education, Testing & Exercises
Without training, drills, testing and exercise, the preparedness program will be nothing more than paper. The auditor will review staff training curriculum to determine what is required and when it should be provided to each class of employee. Training records will be reviewed to determine if the required training is actually being carried out.
After-action reports from testing and exercises should provide a picture of the implementation of the program and effectiveness of the exercises. The auditor will ascertain that action items from exercises are being used to update the preparedness plan to effect continuous improvement.
Change is constant. The preparedness program must keep pace with changes, both internally to the organization and in the external environment. Policies, procedures, and capabilities must be evaluated through periodic reviews using the program’s performance objectives as criteria. The auditor must assess the metrics used for program review; whether periodic reviews are conducted; and whether corrective action is pursued until completion.
Reporting Audit Findings & Recommendations
At the completion of the audit, a closing conference should be held to discuss the preliminary findings, identify incomplete or missing information; address information gaps or conflicting information; and confirm reporting requirements. Findings should be accurately reported along with recommendations to improve the program.