It's important under your requirements for products and services that you've already understood what the requirements are
· based on specification,
· based on standards,
· based on customer requirements,
· based on contractual project delivery,
· and how you demonstrate the necessary information on how you're going to meet those requirements.
You have to have that information available that you can provide as required.
You also have to be able to demonstrate how you handle inquiries through to contracts, orders, delivery, and any changes associated to that. This might not necessarily be change management in the process sense within your business, but it could be associated to changes in customers’ requirements i.e. order changes, specification changes, changes at a site timeline, things like that.
How are those changes captured? How are they documented? How are they properly communicated, and if required, where you give feedback associated to that.
It's also important to recognize how you handle complaints.
You've got to think about the term complaint in quite a broad spectrum, it might not necessarily be a formal, non-conformance, it could simply be associated to someone saying that they weren’t happy how something was handled by an email or telephone inquiry. Might be somebody's not happy about saying that they had fed back that they wanted the parks delivered to a set location, and they change that location, but it's clear that that change that was made wasn't handled correctly by your organisation, and they are effectively completing about the method and how it was handled.
Handling and controlling customer property.
This is quite a key one, if you bring in customer property to your location and use it as part of a project, or whether customer property is loaned to you as part of the services you provide. The key area here it is, you have to identify a number of things.
One being, if you bring in customer property that brings in additional risk to your business, you have to consider what risk assessments you do and controls you put in place associated to that property.
Additionally, you have to think about the control associated to who owns that? So, the traceability associated to that customer property and you have got to remember, this can also be intellectual data. It could be designs, it doesn't necessarily actually have to be a physical item.
You also have to consider, if you're a service organisation, when you go to a location that could be your customer's property, their facility, and you're doing an installation, you have to recognize that the controls that are put in place associated to that may involve that you have to follow certain protocol because you're entering into their property. It could be that your processes, procedures and so on, that you follow, the risk mitigation measures, do not comply exactly, or meet the requirements of what they expect, so it's the processes you take to follow their requirements.
The last one in this area is about contingency. Where that's required, what measures do you have in place that you can take contingency action?
That could be associated to things like, changes in economic or governmental direction, just now is a prime example of that where any operations are shut down.
What activities and practices do you have in place for contingency action? It could be quite extreme measures, that you simply have to communicate to your workforce and communicate to your customers, that given the current situation, you cannot continue to operate the way you were, you cannot visit that site, your production lanes are shut down etc. Or it could be a lesser level of that, it's about the contingency actions that you would take to address, depending upon the issues at hand.
We also have to think about what the requirements are in terms of our customer’s needs and so on but we have to think also, outside of that, with regards to internal and external issues, and interested parties, we have to think of that along the lines of our statutory and regulatory requirements.
If we were delivering a service, going into an environment that was quite different from what we were used to working on, we have to consider how we educate ourselves, and how we communicate that information about these changes and statutory or legal requirements at that site that we're going to work at. It could be different from what we usually used to, therefore we may need to bring about additional training, specifically to go to that location, or it might simply be that we have products and services that we are delivering into a new customer, a new industry that has some additional requirements over and above what we normally would have.
How do we ensure that we determine what those are? How do we demonstrate that we've got the applicable controls for that?
Within operations, we spoke before about the planning phase about understanding what our risks are, obviously, all organisations need to be able to demonstrate that they plan for emergency situations. These emergency situations can be obviously associated to environment health and safety and also business. Emergency situation at the moment could be that a number of organisations have business continuity plans already in place, and are having to act upon those business continuity plans.
What are they doing to ensure that they have that connect preparedness in place?
How they are going to respond to it?
And importantly, how they recover from that emergency situation.
All of that's driven from mitigation measures that they would try and have.
Within this area it’s important to recognize the main elements here are also associated to emergencies to the environment, and human health, for example,
· fire,
· explosions,
· potential for some emergency situation where it could have an impact on human life or the environment.
This is where we demonstrate that we have emergency response plans, we are showing that we have trained the appropriate people on the emergency response plans where they have a role within that to play.
Where we've made others, that we need to follow it, aware of it, part of our communication methodology in terms of our inductions, and any changes that go about associated to that.
Then of course, we have to test it. It’s all good and well having a emergency plans, and preparedness and responses in place and documentation of what we will do in these situations. But actually, it's when these situations occur, that we best find out how well they are working.
We don't want to have a real situation occur; therefore, we want to test them and this is one of the reasons why we test emergency response items. This is why we do fire drills. This may be why we test to a desktop exercise on an emergency response activity, maybe also do desktop exercises on our business continuity plans.
We also have to think emergency and planning to respond to emergencies can come in all shapes and forms, what is an emergency to one company may not be to another. For example, if your company has to rely extremely heavily on the safety of the workforce and the complexity and function of your business around IT infrastructure, you may consider that you have an IT disaster recovery plan, which is a form of an emergency preparedness, and it may include or be a subset of a business continuity plan.
It's important also that these things where possible are tested, and there's no one expecting companies to shut down their production, shut down that IT systems, set fire to something to try and mimic that, what it's about is trying to get as close as possible to the actual event to do a test on it, or drill whatever you want to call it, and the whole purpose of really is to evaluate that everyone is responding and the systems are responding as expected.
When we evaluate it, it's important to recognize where there might be some weakness.
It could be some of that weakness is associated to locations within your facility, or when certain work activities are going on, possibly, sounders can't be heard, people can't be made aware. I've regularly seen sites where there is a subset location where some heavy work or high risk work activity goes on, it's in a different location on a site and often the PPE requirements there and the work activity that goes on means that these people may not hear the regular sound that the office workers or the other people on the site might hear.
You have got to understand what those controls are that are in place and when these situations occur, what responses you have to ensure that these activities can be demonstratable. This is a significant part of your internal audit process, evaluation of your emergency preparedness response, it sounds like an isolated thing, but actually, it's just another form of auditing.
It's just another form of checking that what you plan to do, can be achieved and where there are weaknesses, that you can demonstrate that you improve your systems, improve your methods, and importantly, like anything to do with change, that those changes and improvements have been communicated in the workforce.