“Now we are certified, we can approach our clients from a position of first-hand knowledge of the process – it’s a strong position to be in.” Andrew Macleod, BCM Consultant.
The thought of an external assessor arriving on site can leave some feeling apprehensive, particularly those employees that haven’t before been through an external assessment. In the case of Needhams, its Managing Director and BC Lead Auditors all clearly understood the external assessment process and what was required of them however it wasn’t the same for all staff. Their recently appointed Office Manager was nervous about the assessment as she felt that she hadn’t the in-depth knowledge of business continuity shared by colleagues.
To alleviate the apprehension felt by some, the company held a training session to ensure that all employees had appropriate knowledge of the company’s Business Continuity plans and additionally, were fully prepared for the assessment. When the LRQA assessor did arrive it was clear that he was seeking proof of a depth of knowledge appropriate to the role that the individual played within the organisation.
Needhams had initially chosen to work with LRQA because of its practical approach to the assessment. “We chose to work with LRQA as we found them the most helpful in enabling the certification to happen. Our LRQA Account Manager came to visit to talk us through the process and we liked the approach,” comments Andrew.
“And this was borne out by the nature of the assessment itself. We found it a valuable experience and have learned some pointers from the assessment that we will be able to use with our own clients. For example, our plan was designed to give the structure to enable the Recovery Time Objectives (RTO) of critical activities identified in the Business Impact Analysis to be met. We had taken the view that specific plans for critical activities were not required. Our shortest RTO is 18 hours giving us time to develop a response to any disruption.
“However, this did cause some issues with our assessor. We had the practical challenge of being able to show that the business continuity plan can achieve what we expect it to do.
“We recognise from this that there is a direct correlation between the recovery time objective of a critical activity and whether you then need a Business Continuity plan, that is, a set operating instruction or contingency procedures that allow you to deal with a specific incident. So, if your RTO is 4 hours you simply don’t have time to go through the thought process of designing a solution, it is therefore important to have a set procedure to follow.
“Our assessor’s approach of structuring plans to enable RTOs is an excellent demonstration of the required detail in the plan that we can use to highlight to organisations when they have restrictive RTOs,” concludes Andrew.