Maureen Roskoski 2017-09-14 09:04:58
This is the fourth in a five-part series breaking down the International Organization for Standardization (ISO) management system certification process. In the last installment, “Planning and Resourcing to Support the MSS Certification Process” in the July/August 2017 issue of FMJ, we discussed Clauses 6 and 7 of ISO’s harmonized management system standard (MSS). In that article, we emphasized aligning your MSS objectives with your organization’s strategic objectives and how that can empower your management system to achieve its intended outcomes. It also encouraged you to think about how engagement and communication are essential in maintaining your management system. Establishing the proper foundation for your team often yields more benefits than most of the documentation you will put together. That foundation includes competency modeling, building engagement across the organization through awareness and developing a strong communication plan. In this article, we move to the next step in the Plan, Do, Check, Act cycle — the Do phase. Here, we’ll focus on implementation, or Clause 8: Operation of the MSS. With operation, we arrive at the heart of each standard. This is where you implement procedures, processes and perform actions in support of your MSS. Clause 8 contains a consistent 8.1 Operational planning and control across all MSS areas. Each MSS requires that we plan, implement and control the processes needed to meet our specific MSS requirements. The actions align directly with Clause 6.1, where we identified the actions to address risks and opportunities to ensure the management system can achieve the intended outcomes. This section also ties directly to Clause 9 — performance evaluation — as we are required to ensure the processes are well controlled and are carried out as planned. Operational planning and controls is the only consistency across each MSS that an FM is likely to be familiar with. Each standard takes content specific to its discipline and designs section 8 to fit their management system. Figure 1 shows the additional sub-clauses in Clause 8 for each MSS. Let’s take ISO 22301 Business Continuity Management Systems as an example to highlight how Clause 8 focuses on action and implementation. The ISO 22301 standard provides a framework to develop your business continuity strategy based on a foundation of business impact analysis and risk assessment. There are several implementation items within Clause 8 for 22301 that can be summarized into four main categories, as shown in Figure 2. BUSINESS IMPACT ANALYSIS (BIA) The first step — business impact analysis — is to identify the essential functions and business processes that will keep your business alive during a disruptive event. The BIA is a process to determine the essential functions of the departments within an organization to determine the minimum level of operation needed for the business to continue. The BIA process includes looking at the activities of each department, understanding the interdependencies of their functions and identifying supporting resources. It is a process that helps to identify the most essential business functions and the critical resources that accompany them. The outcomes of the BIA include a prioritized list of functions for each department, recovery time objectives for those functions and a desired minimum level of operations to achieve following a disruption. Because your business may not be able to perform all functions in a disruptive state, identify the critical functions you must keep doing to stay in business, to help prioritize your response efforts. RISK ASSESSMENT (RA) ISO 22301 requires a formal documented risk assessment process that identifies, analyzes and evaluates the risk of disruptive incidents to the organization. If you are looking for additional ISO alignment, you can conform your risk assessment process to ISO 31000. The risk assessment process requires the identification of risks, systematic analysis of risk and selection of risk treatments. The objective is to prioritize threats, understand the effectiveness of existing risk controls and identify additional risk treatments to decrease the likelihood or severity of threats from disrupting your essential business functions. In the facility management realm, we think of risks such as: • What critical equipment must remain operational? • Do I have critical parts in my inventory? • How many single points of failure do I have in my workforce? It is also important to prioritize your efforts by evaluating threats using a risk rating. The risk rating — expressed as likelihood x severity — focuses on the threats that would have the greatest impact on your essential functions. These are threats where the effect on associated critical resources is severe and there is a high likelihood of the threat occurring. The results of the BIA and RA help to align mitigation measures with the most critical business functions and improve your ability to respond, resume and recover. PROCEDURES & PLAN ISO 22301 requires documented business continuity and incident response procedures. The business continuity plan will include detailed steps to activate your business continuity plan, when to utilize an alternate site and site logistics, identification of roles and responsibilities, and other key items, as shown in Figure 3. An important part of the plan and ISO 22301 requirements is the command structure. A documented management structure is crucial to clear and consistent decisions and communications before, during and after an event. One person should be in charge, and there should be multiple backups for every role. The Federal Emergency Management Agency’s Emergency Management Institute offers free online courses in the National Incident Management System (NIMS). There are several courses available, but the NIMS 100 — Introduction to the Incident Command System course is a good starting point for all involved in incident response. EXERCISES & TESTING For your business continuity management system to be truly effective, you need a ready workforce. There are two times you can determine if your procedures are working: during a drill or during an event. We are much better off if we identify issues during a drill and fix them before an event occurs. Training is a great way to engage your workforce, particularly emergency response training, as it is personal. Everyone from every corner of the organization plays a role in business continuity and has something to benefit from the continuity of operations. Facility managers play an integral part at every stage of creating and maintaining operational plans, budgets, trainings, drills and more. You are often the first responders in an incident, before emergency personnel arrive. You also know more about the building and the people in the building than almost anyone else. It is imperative that the facility management team has a seat at the table in incident response and business continuity planning and is active in exercises and drills. Not only does training prepare us to better respond in an emergency, but it is required by law. OSHA 29 CFR 1910.38 requires all US employers to create and train on their emergency action plans. SUMMARY The Do part of the Plan, Do, Check, Act cycle is an intensive, time-consuming part of the process. Through the ISO 22301 business continuity management system example, you can see that Clause 8 requires action and implementation. It is the core of your management system. The rest of the MSS sets the framework, measures our progress, maintains compliance and provides for continual monitoring. The actions in Clause 8 also align with Clause 6.1, where we ensure the management system can achieve the intended outcomes and ties to Clause 9 Performance evaluation, as we are required to ensure the processes are carried out as planned. Everything you do as a facility manager enables your organization to continue its mission. Whichever MSS you choose is a valuable tool to help you achieve that goal. MAUREEN ROSKOSKI, CFM, SFP, LEED AP O+M, is a senior professional and the corporate sustainability officer at Facility Engineering Associates (FEA). With 20 years of experience in facility management consulting, Roskoski has worked with clients on organizational assessments, FM technology process improvement, sustainability and resilience planning. Roskoski is FEA’s business continuity lead, managing FEA’s Business Continuity Management System, and she led the effort to achieve ISO 22301 Business Continuity Management System certification for FEA’s Fairfax, Virginia, USA, office in January 2016. FEA pursued the certification to strengthen its organizational resilience and to enhance its ability to continue business during a disruptive event. While the certification was a great achievement, FEA found that the journey to certification, although challenging, was by far the greatest benefit. The core team of business continuity professionals was invigorated, engagement with employees increased company-wide, and a culture of organizational resilience was created.
Published by International Facility Management Association . View All Articles.
This page can be found at http://fmj.ifma.org/article/Operating+Your+MSS/2882459/437957/article.html.