ISO 9001& ISO 9004: A Framework for Disaster Preparedness Revisited #2

Applying ISO 9001 and ISO 9004

This is the second blog revisiting my 9/11 Disaster Preparedness article in the February 2002 issue of Quality Progress. How can ISO 9001 & ISO 9004 be used in disaster planning? While these standards provide a basic structure from which to approach the planning process systemically, the focus must be on developing a comprehensive disaster plan, not just on managing processes.

Once a basic set of questions has been developed after meeting with senior management, the focus can be further refined to tailor the plan to meet the needs of the organization. In the section entitled “Questions to Ask,” sample questions are framed within some of the elements of ISO 9001 & ISO 9004.

As noted in the article, no one likes to be surprised, least of all senior management. Senior management will expect to review the plan as it evolves. The following points are critical:

·       Companywide planning objectives must be established.

·       A mission statement must be issued by senior management before the disaster planning   

      process begins.

·       The scope of the review, planning milestones and timelines must be established.

·       Personnel must be assigned to tasks and schedules established.

A Systemic Focus

Companies using ISO 9001 & ISO 9004 to develop a strategic disaster plan do not need to become certified to ISO 9001, but it can be helpful. Once clauses from the two standards have been used to provide a systemic focus to the planning effort, planners can revisit the elements to determine what might be missing. For example, since financial planning and R&D often are not included in many ISO 9001 Quality Management Systems, these functions would need to be incorporated into a viable disaster plan.

Questions to Ask

The following sample questions are framed within the structure of one element of ISO 9001 and ISO 9004. The objective is to illustrate how the standards can be used in the planning process. Of course they must be adapted to the needs and type of organization.

Managing Systems and Processes

·      What are the needs of the organization?

·      What organizational and management structure is used to accomplish these objectives?

·      What is the legal structure of the organization?

·      Who are the stakeholders?

·      What is the overall planning structure of the organization?

·      What plans are in place at present?

·      How many corporate divisions and sites are managed by the organization, and what is their  

     function (for example, corporate management, R&D, production or service delivery)?

·      What is the financial structure of the organization?

·      What type of security systems are employed in the divisions and at different sites?

·      What type of information & communications systems (hardware and software) are used to operate the business and manage production and services?

·      Do any fail-safe backup systems exist?

·      How is proprietary information and intellectual property handled?

·      What contingency plans exist for shifting production and service delivery to alternative  

     locations?

·      How much and what type of insurance is carried by the organization?

·      What are the processes used to manage the organization?

·      What are the sequence of these processes and their interaction?

·      What criteria and methods are used to ensure that the operation and control of these processes are effective?

·      How are these processes monitored, measured and analyzed?

·      Are any processes that affect product conformity outsourced?

·      If so, how are these processes monitored within the quality system?

The February 2002 Quality Progress article developed additional ISO 9001 & ISO 9004 questions to illustrate the approach for Documentation; Statutory and Regulatory Requirements; Quality Policy; Responsibility; Authority and Communication; Production and Service Operations; Control of Nonconformity; Corrective Action; Resource Management; Human Resources; Infrastructure; Work Environment; Information; Financial Resources; Design and Development Planning.

Again, the demonstration of the approach did not use all of the elements of ISO 9001 & ISO 9004 and did not develop the full complement of possible questions for each element. The objective was to demonstrate how this type of approach would work.

Critical Issues to Remember

Timing is critical. Catastrophic events happen quickly and, in most cases, without warning. It is necessary to develop an emergency response procedure and create a crisis management team to deal with the public and press.

·      Companies need to have both immediate and long-range responses that are planned and timed. The impact of downtime will depend on how rapidly a company is able to begin intermediate and later long-term operations.

·      Clearly, all critical information, including operational records and documents and environmental compliance records should also be stored off-site so that they can be retrieved when needed. Also, the QMS manual, procedures, records, work instructions, flowcharts, minutes and other critical data should be in electronic form and also stored off-site as well.

·      Backup computer operations (hardware and software) should exist in duplicate form so that they can be accessed whenever necessary. Quality records and documents such as design documents, production records, financial records and supplier records also should be stored in duplicate off-site so that operations can begin again as quickly as possible.

·      Companies that manufacture one-of-a-kind products should have duplicate design records. Companies that CE Mark products should have their Technical Files (Parts A&B) stored electronically off-site as well.

·      Depending on the nature of the disaster (for example, flood, mudslide, explosion, terror attack, sabotage, etc.), personal liability lawsuits could ensue. Operational data will become critical in defending the company.

·      Product liability and criminal liability lawsuits also could be initiated after a plant or facility is destroyed by disaster. Such lawsuits often occur several years after a product is first manufactured. Without data to prove that products were designed to be safe, production was under control and complaints were dealt with in a timely fashion, an organization could be at the mercy of juries that must determine the facts of a case. The truth is that if you can’t prove it doesn’t exist.

The shopworn American aphorism, “If it ain’t broke, don’t fix it” is meaningless in disaster planning. If you don’t plan for all possibilities, your company likely will be out of business.

Summary  

When writing the February 2002 article, I remembered three events in my life that made vivid impressions concerning disaster planning. First, when I was in Law School a fire broke out in some commercial buildings that had been acquired by the University of Wisconsin for graduate student offices and laboratories. The newspaper accounts said that the work and records for over 40 doctoral dissertations were destroyed. Second, when I was a doctoral candidate at the University of Kansas, I made duplicate copies of my dissertation and as soon as a chapter was finished, I stored three separate copies at three separate locations in the city. Finally, when I was vice president of a university, I discovered that student records and transcripts have always been created in duplicate and stored in different locations to avoid any possibility of a records disaster.

Parts 3 and 4 of this blog will deal with disaster planning and the response to catastrophic events since 9/11. Have any lessons been learned? If you have disaster preparedness concerns, you can contact me for a free preliminary consultation at theguide1@comcast.net.