November 2004 e-Newsletter

“We endorse the American National Standards Institute’s recommended standard for private preparedness. We were encouraged by Secretary Tom Ridge’s praise of the standard, and urge the Department of Homeland Security to promote its adoption. We also encourage the insurance and credit rating industries to look closely at a company’s compliance with the ANSI standard in assessing its insurability and creditworthiness. We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at a tremendous potential cost in lives, money, and national security.”

What’s particularly important is the commission’s recommendation that insurers factor in a firm’s support for NFPA 1600 when underwriting policies, as well as, other financial considerations. This could potentially help companies save money, for example, on certain types of insurance premiums – a very useful way to justify the cost of business continuity and related investments.

An interesting table maps FEMA’s Capability Assessment for Readiness (CAR) Emergency Management Functions with NFPA 1600’s chapter/section outline and the BCI/DRII Professional Practices. This table is among the most useful items in the standard, as it provides a bridge across three well-known industry standards. In addition, the document has lists of emergency management organizations in the public and private sectors, lists of periodicals, professional associations, list servers and forums, various incident management resources, and other relevant NFPA standards. In short, it’s a comprehensive, yet flexible, document. You can see it at: www.nfpa.org/PDF/nfpa1600.pdf?src=nfpa

Another document of interest is the Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet. The booklet addresses the process for financial institutions to ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism. See it at: http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf

The International Business Continuity Guideline being developed by ASIS (an international organization for security professionals) encompasses all elements of disaster management and recovery. It can be seen at http://www.asisonline.org/guidelines/guidelines.htm

This article was based on information from the September issue of the ContingencyPlanning.com e-Newsletter. To see more on this subject and other business continuity issues, go to: http://www.contingencyplanning.com/features/sep04.htm

The October 2004 issue of CrossTalk, the Journal of Defense Software Engineering, includes an article by Capers Jones titled, "Software Project Management Practices: Failure Versus Success".

The analysis of approximately 250 large software projects between 1995 and 2004 shows an interesting pattern. When comparing large projects that successfully achieved their cost and schedule estimates against those that ran late, were over budget, or were canceled without completion, six common problems were observed:

poor project planning
poor cost estimating
poor measurements
poor milestone tracking
poor change control
poor quality control

By contrast, successful software projects tended to be better than average in all six of these areas. Perhaps the most interesting aspect of these six problem areas is that all are associated with project management rather than with technical personnel.

Two working hypotheses emerged:

1) poor quality control is the largest contributor to cost and schedule overruns
2) poor project management is the most likely cause of inadequate quality control

To see the full article in CrossTalk, go to <http://www.stsc.hill.af.mil/crosstalk/2004/10/0410Jones.html>.

The 2nd Edition of the Automotive Certification Scheme for ISO/TS 16949:2002, Rules for Achieving IATF Recognition, requires organizations and registrars to conduct process-based audits. According to section 2.7, each onsite audit by a registrar (initial, surveillance, and recertification) must include an audit of:

a) Implementation of requirements for new customers since the last audit
b) Customer complaints and organization responses
c) Internal audit and management review results and actions
d) Progress made toward continual improvement targets
e) Effectiveness of the corrective actions and verification since the last audit
f) Effectiveness of the system with regard to achieving both customer and organization objectives

And, every audit must include auditing on all shifts.

Every surveillance audit must be planned around the processes of the organization, taking into account current customer and internal performance data, internal audit and management review results, and the same information pertinent to any new customers since the last audit. Items a) and b) in the list above should be obtained during planning for the surveillance audit.

Every surveillance audit must re-examine some of the organization processes so that all of the processes, and all customer specific system requirements, have been re-examined within each three year cycle.

Every recertification audit (three year cycle) must re-assess the:

Effective interaction between all the processes defined in the quality management system
Effectiveness of the system in its entirety, considering internal and external changes that may have affected the system

Sections 2.11 and 2.12 state that audit plans must be based on the processes of the organization. The audits must evaluate the effectiveness of the system, its linkages, its requirements, and its performance. Part of the evidence required is process-based internal audits being conducted by the organization, followed by a management review. The effectiveness of the system should consider how well the system is deployed, as demonstrated by the defined measures, to meet customer satisfaction and company objectives.

Annex 5 states that ISO/TS 16949:2002 audits must not be driven by a "clause" or "section" driven checklist. The automotive approach for process-based audits begins by identifying the organization's processes and evidence that they address all the requirements of ISO/TS 16949:2002. These processes are then analyzed according to this criteria:

Products provided to the customer
Risks to the customer
Interfaces (process inputs and outputs)
Identification of group processes for an economical and effective audit

Audit activities are to be prioritized based on:

Customer requirements, including customer-specific system requirements
Followup issues of prior audits (external and internal)
Customer satisfaction and complaints status, including customer reports and scorecards
Key indicator trends for the previous 12 months, minimum
Value (add) to the audited organization

Are you planning to seek registration to ISO 9001:2000 or one of the related industry sector schemes? Be prepared to encounter one or more of these problems on your journey:

1. Difficulty identifying and creating new processes within the system.

2. Creation of unneeded detail in documented procedures and instructions.

3. Lack of visible and demonstrated management commitment and support.

4. Personnel not following the prescribed procedures per their training.

5. Resistance by some employees to process measurements and change.

6. Conflicting interpretations within the organization and by the registrar.

7. Mandated and unrealistic timeframes declared by top management.

8. Required use of inherited policies and procedures from other organizations.

9. Ineffective corrective actions based on poor root cause analysis.

10. Lack of information and internal communications on plans and results.

11. Lengthy and untimely document review and approval process.
12. Delays due to a limited budget and higher than expected costs.

By recognizing what might go wrong, you can do a better job of avoiding these typical obstacles on the path to registration.

To enroll in these public classes, go to Class Schedule at our web site, or call us at 800-404-7585. Classes taught by Larry Whittington are shown in yellow.

ISO 9001:2000 Lead Auditor (RAB Accredited) - BSI Management Systems
Initial course version developed by Larry Whittington

November	December	January
01-05 Detroit, MI	06-10 Orlando, FL	10-14 Reston, VA
01-05 Reston, VA	13-17 Atlanta, GA	24-28 San Diego, CA
15-19 Houston, TX	13-17 San Jose, CA	31-04 Houston, TX
29-03 San Jose, CA	- -	- -

ISO 9001:2000 Internal Auditor (RAB Accredited) - BSI Management Systems

November	December	January
16-18 Atlanta, GA	13-15 Orlando, FL	19-21 San Diego, CA
16-18 San Jose, CA	- -	25-27 Atlanta, GA

ISO 9001:2000 Auditor Update - The Process Approach
Course developed by Larry Whittington

Implementing ISO 9001:2000
Course developed by Larry Whittington

November	December	February
08-09 Reston, VA	02-03 Atlanta, GA	10-11 Atlanta, GA
- -	07-08 San Diego, CA	24-25 Reston, VA

Understanding ISO 9001:2000

November	February
15 San Jose, CA	23 Reston, VA

Understanding ISO 9001:2000 Requirements (Atlanta Only - $295)
Course developed by Larry Whittington

November	February
29 Atlanta, GA	7 Atlanta, GA

Quality System Documentation (ISO 9001:2000)
Course developed by Larry Whittington

December	February
09-10 San Diego, CA	1-2 Reston, VA
- -	8-9 Atlanta, GA

The above public courses can be offered on-site at your facility. In addition, we offer these on-site courses:

-top-

Copyright © 2000 - 2007 Whittington & Associates, LLC. All Rights Reserved. 242 Highlands Drive, Woodstock, GA 30188 770-517-7944 or fax 770-517-7945	Site by Frogtown Media Web Design
Whittington & Associates provides training, consulting and auditing services for quality systems based on ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485, as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.