You have to meet your co-workers, learn the ins and outs of the company, and begin performing your duties.
Meanwhile, you have to stay safe. This can be a challenge for new workers: Employees in their first month on the job have more than 3 times the risk for a lost-time injury than workers who have been at their job for more than a year, according to research from the Toronto-based Institute for Work & Health.
Possible reasons for this? Peter Smith, IWH scientist, points out that new workers may be performing unfamiliar tasks – some of them hazardous. In addition, the workers may be unsure about their safety rights and responsibilities, and might feel uncomfortable speaking up about a hazard.
“We can only speculate on the ‘why,’” said Curtis Breslin, another IWH scientist who has collaborated with Smith on research about new worker safety. “One thing studies have shown is that there’s a lack of familiarity. That’s a common theme that could be contributing to new workers’ increased risk. The other possibility is that new workers might be encountering more hazards. Or their risk perception – they don’t have the knowledge and awareness, so they’re underestimating the risks. It could be issues with training, maybe they’re not being trained [or receiving] on-the-job, hard-knocks-type training that happens in the first or second month.”
IWH research has found that few new workers receive safety training – 1 out of 5 among a sample of Canadian workers, according to a 2007 study.
“The fact almost 80 percent of workers who were in their first year of employment could not remember receiving any workplace safety or orientation training is worrying for a few reasons,” Smith said. “This likely results in these workers being without important knowledge that could prevent them, or one of their co-workers, [from] getting injured.”
However, according to IWH, as novice workers gain job experience, their risk declines.
Looking at the numbers
In 2013, nearly one-third of the nonfatal occupational injuries or illnesses that involved time away from work were suffered by workers with less than one year of service, according to data from the Bureau of Labor Statistics. Nearly one-quarter of these cases resulted in 31 or more days away from work, said Ken Kolosh, statistics manager at the National Safety Council.
Certain subgroups of new workers are at heightened injury risk. In the agriculture, forestry and fishing industry, 45.4 percent of the injuries and illnesses in 2013 occurred among workers with less than one year of experience. In the construction and extraction industry, it was 34.9 percent.
“That makes sense because a lot of those industries are cyclical; they’re seasonally employed,” Kolosh said. “Almost by definition, many of those workers are always going to be new employees. The construction industry has a lot of seasonal employment. It has a lot of contractor-type workers, so a larger proportion of that population by definition is going to have less than three months of service.”
Construction workers frequently change jobsites as well, which can present problems.
“Every day, you have to be aware of what’s going on. You have to have good communication,” said Scott Schneider, director of occupational safety and health at the Washington-based Laborers’ Health and Safety Fund of North America. “It’s less an issue on unionized sites, where people have a substantial amount of safety training in apprenticeship programs. They also, as apprentices, get mentored along the way. It’s still an issue in the sense you’re going to a different jobsite, and you may not be familiar with that jobsite.”
IWH research published in 2012 concluded that risk was higher among new workers who were older, men and workers in the “goods sector,” including construction and manufacturing. This may be because these jobs have more physical demands, and older workers might be more physically susceptible to injury, Breslin said.
Contractor management software is an important part to managing any company, business or organization’s interactions with the contractors who support its operations and facilities. It is an integral part in managing all contractor types from electricians to plumbers, HVAC to garbage removal, paving to painting.
A contractor management system/software consolidates all contractor information into one database. And can then automate any processes across national, regional and local contractors.
Contractor Management & Onboarding
The first step for of utilizing a contractor management software is the onboarding of your commercial contractors onto the management software platform. Once on the platform your contractors can communicate and transact electronically with your Facilities Management team, and your facilities management team can perform an array of automated activities including work verification, electronic payments, and analytics.
Assess both the technology and the level of support of a contractor management solution
Onboarding and training your external contractors on how to get started and use the system is crucial as it will ensure proper and consistent use. Effective onboarding also leads to maximizing value and minimizing errors and risk by automating contractor sourcing, work order management and invoice/payment processes.
To have a truly successful facilities management program, contractors must be fully engaged in the process. It’s why whenever you evaluate a contractor management solution you cannot look at just the technology. You need to focus on the resources that go into contractor training. What good is software if no one knows how to use it or doesn’t full understand the features?
A robust contractor management system will include training and onboarding contractors on all aspects of the software and program, including registering and uploading contractor company information (insurance, W9 information, etc.), checking in/out using our GPS check in/Out or IVR telephone system, submitting electronic proposals and invoices, and adhering to all of your organization’s specific procedures.
One of the most significant benefits of having all your contractors trained and on board with contractor management service automation is that it enables you to receive objective, quantifiable performance metrics. It minimizes room for error, ensures brand consistency across all locations and avoids costly mistakes. It also ensures compliance by validating that contractors have the necessary and up-to-date insurance and licenses.
Ongoing Training and Web-Based Instructions
Training needs to take place continuously as contractors hire new employees, as new features are added or modified in the contractor management software, and to also serve as a refresher for those already using the system. Training can take place in person, but most contractor management programs provide value and efficiency in web-based instruction (training webinars) for commercial contractors and facilities management teams. Effective training and onboarding can save time and manpower in getting your contractor son the contractor management system and up to speed.
The Advantages of Contractor Management Solutions
Contractor management solutions enable facilities managers to better organize and manage work orders, and monitor performance and productivity. As facilities management becomes more data-driven, it’s critical that contractor sourcing not rely solely on relationships and perceived trust, but also include objective, quantifiable performance metrics. As with every aspect of your operations, you want to make sure you have the best-performing contractors doing your work.
Man-made risks, such as cyberrisk, physical security threats and climate change—are the driving forces in the global threat landscape. Unlike natural risk, which remains a central preoccupation, man-made risks have agency. Simply put, a tornado does not pre-plan where and who it will strike. A cyberattack, by contrast, is generally not a random event. While large organizations can often shield themselves from the financial consequences of many risks, the ensuing reputational harm can irrecoverably erode market share and stakeholder trust. Small- to mid-sized enterprises confront these challenges as an existential threat.
The quest for global risk agility is principally a management framework aimed at changing the way organizations and senior leaders think about risk. Rather than making risk an object of “passive control” and something to be feared, agile decision makers make risk an object to be understood—with a healthy dose of respect—and properly harnessed. There is a risk in doing nothing at all in these turbulent times. Organizations, large or small, can no longer afford to remain on the sidelines.
Organizations tend to be far too passive vis-à-vis their approach to risk management. Risk does not wait for a board to have a quorum among its members before it strikes. Risk also does not recognize the annual planning, strategy or budgetary cycles that are the drumbeat of large enterprises. Too few of these organizations—particularly publicly-listed firms—are marching to the drumbeat and, therefore the short-termism, of the stock market. In the era of man-made risks, decisions need to be framed around longevity and optimization, as opposed to short-term performance and maximization. It is only through this that organizational resilience and a spirit of collective survival will take hold.
The best place to start is to create greater awareness of man-made risk in the context of global risk analysis. Too often, boards and senior decision-makers do not know what questions they should ask of each other, or necessarily where to obtain the right answers. This reality is confounded by the individual silos or domains over which senior leaders reign, largely in indifference to and with independence from their colleagues in the C-suite. The first step is to acknowledge that they may not have all the answers, particularly within the context of long-range planning. It is every global firm’s duty and obligation to develop their own “foreign policy” with respect to operating in international markets. Of course, this also applies to operating domestically, where a rare breed of organization puts its value systems front and center in all decisions, large or small.
Businesses will never be outside the reach of controllable and uncontrollable risk—all they can do is attempt to manage them in a reasonable and effective fashion. In the era of man-made risk, which often clashes with natural risk, many firms need to greatly strengthen their organizational resilience and risk management procedures, or to consider getting into another line of business in another location. Some prime examples are those firms with high profiles and/or a lot of money (that may attract the attention of cybercriminals), those that operate in strategic sectors (that may attract the attention of nationalistic governments), and those located in flood-prone areas or that function in areas of the world particularly prone to terrorism. The intersection between man-made and natural risk will only grow with time, with increasingly profound potential implications.
If 2016 was the year of cyberrisk maturity in that there is not an organization in advanced markets that is not sensitized to their exposure, 2017 will be the year of decision opacity. In other words, decision-makers from large and small enterprises, and across sectors, will be confounded by a world that is increasingly difficult to read and, therefore, to make long-range plans for inventory, investments, hiring and market expansion. Risk can be measured, but uncertainty cannot: Uncertainty creates bank runs, erodes consumer and investor confidence and trust in counterparties and institutions. 2017 will mark a year of intense uncertainty. Those firms already seeking global risk agility—and actively devoting resources to and making decisions consistent with that objective—stand the best chance of actually achieving organizational resilience in the face of such uncertainty.
In the environmental, health and safety industry, emphasis is placed on reducing job-related incidents and increasing the level of workplace safety and compliance. Anything that jeopardizes those priorities needs to be contained and prevented from happening again. Risk management tools provide a systematic method for handling such events with consistency and objectivity.
Using a risk matrix – a tool that quantifies hazards based on severity and frequency – is the first step in that systematic process. A risk matrix defines numerical scales for the frequency and severity of possible incidents to determine how large of a risk that event is. For example, if something has high severity and high frequency, it is considered high risk. If something is low in both of those areas, it is considered low risk. This information helps EHS professionals make decisions across a number of areas.
Applying risk management to EHS organizations
Although the risks will be different for every organization, some applications of risk management are beneficial to all EHS organizations.
Incident management: EHS systems need to track any adverse incidents such as injuries, illnesses and chemical spills, among others. Documenting incidents and collecting data helps you contain the effects, get back into compliance and ensure the incidents do not happen again. Using a risk management tool such as a risk matrix helps prioritize these critical issues. It provides a systematic process to follow, which makes it easier to make decisions about handling the situation.
Job safety analysis: Risk management provides a benchmark for JSA, breaking down the individual pieces of a job description and analyzing them with the same methods as an adverse event. Once potential hazards are revealed, the organization can take steps to prevent or decrease the risk through protective equipment or safety regulations specific to the job. Knowing what incidents could possibly occur leads to prevention, which decreases the chance of the incident actually happening.
Corrective action: EHS systems can also apply risk to the corrective action process to determine if a corrective action was effective. The risk values of an incident after the corrective action measures the residual risk to see if the corrective action worked. This can be repeated as many times as necessary, until the risk has been reduced to an acceptable level.
Enterprise reporting: Having an automated EHS system that collects data is not enough. You need a tool that reports the data in a comprehensive manner, determining general trends and overall impacts. Risk management tools give executives fuel to make informed decisions and changes with support from data. They can connect the root causes of incidents that happen in different departments and look at the EHS enterprise as a whole.
There’s more
Risk management tools are invaluable for EHS professionals in other areas: emissions tracking, energy management, Safety Data Sheets, aspects, objectives and targets, and crisis management – just to name a few. Incorporating risk management tools to all of your EHS operations will help you make informed decisions and get on a path of constant improvement.
Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies’ processes for identifying and controlling threats to its digital assets, including proprietary corporate data, a customer’s personally identifiable information and intellectual property.
Risk management standards
Since the early 2000s, several industry and government bodies have expanded regulatory compliance rules that scrutinize companies’ risk management plans, policies and procedures. In an increasing number of industries, boards of directors are required to review and report on the adequacy of enterprise risk management processes. As a result, risk analysis, internal audits and other means of risk assessment have become major components of business strategy.
Risk management standards have been developed by several organizations, including the National Institute of Standards and Technology and the ISO. These standards are designed to help organizations identify specific threats, assess unique vulnerabilities to determine their risk, identify ways to reduce these risks and then implement risk reduction efforts according to organizational strategy.
The ISO 31000 principles, for example, provide frameworks for risk management process improvements that can be used by companies, regardless of the organization’s size or target sector. The ISO 31000 is designed to “increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment,” according to the ISO website. Although ISO 31000 cannot be used for certification purposes, it can help provide guidance for internal or external risk audit, and it allows organizations to compare their risk management practices with the internationally recognized benchmarks.
The ISO recommended the following target areas, or principles, should be part of the overall risk management process:
The process should create value for the organization.
It should be an integral part of the overall organizational process.
It should factor into the company’s overall decision-making process.
It must explicitly address any uncertainty.
It should be systematic and structured.
It should be based on the best available information.
It should be tailored to the project.
It must take into account human factors, including potential errors.
It should be transparent and all-inclusive.
It should be adaptable to change.
It should be continuously monitored and improved upon.
The ISO standards and others like it have been developed worldwide to help organizations systematically implement risk management best practices. The ultimate goal for these standards is to establish common frameworks and processes to effectively implement risk management strategies.
These standards are often recognized by international regulatory bodies, or by target industry groups. They are also regularly supplemented and updated to reflect rapidly changing sources of business risk. Although following these standards is usually voluntary, adherence may be required by industry regulators or through business contracts.
Risk management strategies and processes
All risk management plans follow the same steps that combine to make up the overall risk management process:
Risk identification.The company identifies and defines potential risks that may negatively influence a specific company process or project.
Risk analysis.Once specific types of risk are identified, the company then determines the odds of it occurring, as well as its consequences. The goal of the analysis is to further understand each specific instance of risk, and how it could influence the company’s projects and objectives.
Risk assessment and evaluation.The risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence.The company can then make decisions on whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.
Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.
Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
Risk management approaches
After the company’s specific risks are identified and the risk management process has been implemented, there are several different strategies companies can take in regard to different types of risk:
Risk avoidance. While the complete elimination of all risk is rarely possible, a risk avoidance strategy is designed to deflect as many threats as possible in order to avoid the costly and disruptive consequences of a damaging event.
Risk reduction. Companies are sometimes able to reduce the amount of effect certain risks can have on company processes. This is achieved by adjusting certain aspects of an overall project plan or company process, or by reducing its scope.
Risk sharing. Sometimes, the consequences of a risk is shared, or distributed among several of the project’s participants or business departments. The risk could also be shared with a third party, such as a vendor or business partner.
Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint, and decide to retain the risk and deal with any potential fallout. Companies will often retain a certain level of risk a project’s anticipated profit is greater than the costs of its potential risk.
Organizations conduct safety audits to comply with laws or regulations and to provide a safe workplace for everyone. A safety audit identifies different levels of risk in each work area of an organization. An audit’s findings can also include how an organization can remediate potential threats to employees and visitors. When an organization follows through on the findings of a safety audit, the workplace will be safer, and there will be a reduced likelihood of worker injury, illness, and death.
A systematic approach is a vital ingredient for a safety audit. Including the following components will make a safety audit more effective:
1. Research safety conditions that should exist in each work area. Look up appropriate laws and rules of practice
2. Create an audit checklist. Include minimum safety standards for each work area and possible safety issues. If an organization has a safety management system, it may be possible to print a safety audit form for each program area. Extensive research helps an auditor to refine his audit checklist.
3. Conduct a preliminary inspection of all work areas. Use additional paper, if needed, to note unsafe conditions, including surfaces and equipment that need maintenance, repair, or replacement and areas where employees need better personal protective equipment. An organization can consult with experts to address safety issues that are outside the range of experience of the management team.
4. Inspect safety records of each program area. Read all safety policies and procedures, safety meeting agendas, Material Safety Data Sheets, previous inspection reports, and reports of accidents and injuries. A well-designed audit demonstrates how an organization has performed since the most recent inspection.
5. Conduct a formal inspection by visiting all work areas again. If a work area is not compliant with an item on the checklist, it’s important to record that finding. An auditor must also ask questions of on-duty managers and workers to ensure that enough information is collected to prepare a complete report.
6. Prepare an official version of the formal inspection that summarizes the audit’s findings. A summary includes comments addressing the changes that management has taken to increase safety since the most recent audit.
7. Provide a copy of the audit to management. Program managers need the auditor’s contact information if they have questions about how to correct problems summarized in your report.
Contractor management refers to the managing of outsourced work performed for an individual company. It is increasingly common for industries to rely upon independent contractors for specialized skills and knowledge. By utilizing outside contractors, companies can achieve three main goals: accessing specialized expertise that is not continuously or routinely required, supplementing limited company resources during periods of unusual demand, and providing staffing increases without the overhead cost of direct-hire employees.
Challenges Associated with Contractor Management
Because independent contractors are not a regular component of the company for whom they work, there are some unique challenges that must be addressed by companies conducting contractor management. Increasingly, companies rely on outsourced contractors for field service work. This poses challenges in maintaining consistency in service delivery and customer experience, as well as in maintaining visibility and sufficient control over scheduling and other facets of service.
Some of the most common day-to-day challenges associated with contractor management include:
Senior leadership commitment
Project managers’ understanding of their roles
Team members’ understanding of expectations
Scheduling and task management
Control over labor costs
Companies also must determine how to access the independent contractor population and minimize costly penalties that often result from improper classification of workers and independent contractors. Moreover, companies need to consider how to evaluate independent contractors. On-boarding and administration programs must be in place for successful contractor management.
Other aspects of contractor management that must be considered are risk assessment and identification, issuing 1099s on behalf of the client, and document completion, collection, and maintenance. Many challenges associated with contractor management can be overcome by employing best practices for contractor management.
Best Practices for Contractor Management
Freelancing and independent contracting especially are popular among small businesses. Independent contractors are able to fulfill needs that the small business workforce otherwise could not. Contractor management is necessary because of the nature of the independent contractors’ work; independent contractors, particularly field service contractors, often work away from the office and are not under direct supervision. Under these circumstances, even experienced CEOs may find it difficult to manage independent contractors. There are some best practices that help companies and executives handle their contractor management:
Clearly define the services that you need to have provided
Draft a job description to serve as a reference point when drawing up a contract
Determine payment schedules and compensation rates ahead of time
Set up a straightforward and clear written agreement at the contract’s start
Ensure that you are firmly within legal grounds and document a work arrangement meticulously so that you are correctly classifying your independent contractor
Keep in mind that experts recommend that you determine the what and the contractor determines the how – you outline specific goals, but the contractor must provide his own tools, equipment, and facilities to complete the work
Guide productivity and ensure that the contractor will produce high quality work while meeting key deadlines by specifying the deliverables in the agreement, making yourself available to answer follow-up questions, and scheduling regular meetings for progress updates
Communication is Key to Contractor Management
Independent contractors, program managers, and company executives not only have a professional duty to communicate effectively, but they must communicate in a way that ensures the contracted work is completed well and in a timely manner. Effective communication is a key component of contractor management throughout the business relationship, from defining services and writing the agreement, to meeting with the contractor throughout the project’s completion. There are several solutions for contractor management available, including mobile management software and solutions, to connect everyone and ensure successful contractor management.
With comprehensive contractor management practices offering visibility and control over the complete service chain, enterprises managing field service contractors and other independent contractors are able to reduce labor costs, obtain proof-of-service, gain real-time visibility into the status of jobs and tasks, and ultimately, provide a more consistent experience that increases end customer satisfaction.
According to new research in the Journal of Accounting and Economics, financial goals may be more important than employee safety.
UCLA Anderson of Management Associate Professor of Accounting Judson Caskey and UT Jindal School of Management Assistant Professor of Accounting N. Bugra Ozel collaborated on a study that examined 14 years of data on workplace safety from the OSHA, documenting any data that might show correlation between analysts’ forecasts and injury/illness rates.
Caskey and Ozel found that any changes in operations or production that are meant to increase earnings impacted the number of injuries in the company. Specifically, an increase in employee workloads and in abnormal reductions of discretionary expenses caused a rise in injury/illness rates when analyst forecasts were met or exceeded.
“Managers can indirectly, and perhaps inadvertently, detract from safety by increasing workloads, hours, or the desired speed of work flow,” the authors said. “For example, rushed employees may have more accidents, and increased workload and hours without additional rest and recovery time can increase stress-related injuries. Managers can also directly impact safety by cutting safety-related expenditures.”
Researchers also noted that the relation between benchmark beating and workplace safety is stronger when there is less union presence, when workers’ compensation premiums are less sensitive to injury claims and among firms with less government business.
The purpose of incident management is to reinstate normal service operations as fast as possible and mitigate the negative impact on business operations, thus making sure that the agreed levels of service quality are maintained. The operational state where CIs and services are performing within their agreed service parameters and operational levels is called ‘Normal service operation’.
There are two main aims of the incident management process:
– To restore services back to normal operation as fast as possible – To mitigate the adverse effect of critical incidences on business operations.
ITIL Incident Management
According to ITIL terminology, an ‘incident’ is described as an unplanned interruption.
Incident management, as the name suggests, is the process that is used to manage the lifecycle of all incidents. Incidents can be identified by technical staff, reported and detected by event monitoring tools, be conveyed by communications from users (usually through a telephone call to the service desk), or reported by third-party suppliers and partners.
Objectives
The main objectives of the incident management process are as follows:
– Make sure that standardized procedures and methods are used for prompt and efficient response, documentation, analysis, reporting of incidents, and ongoing management. – Improve the communication and visibility of incidents – Improve the business perception of IT with the help of a professional approach, so that incidents will be resolved and reported quickly – Line up incident management activities and prioritize them accordingly – Enhance and maintain user satisfaction without losing the quality of IT services
Scope
Incident management includes any event which disrupts, or something which is capable of causing a disruption to the service. This includes events which are communicated directly by users – through an interface from event management to incident management tools – or through the service desk.
Value of incident management
– Ability to mitigate the risk of unplanned costs and labor for both business and IT support staff – Ability to detect and resolve incidents, which in turn results in lower downtime to the business, which means increased availability of the service – Ability to line up IT activity to real-time business priorities – Ability to identify the potential areas of improvement
Policies
– Incidents and their status must be reported in a timely manner. – Incidents resolution should be within the timeframes acceptable to business. – Maintaining Customer satisfaction is very important. – Incident handling and processing should be in line with overall service levels and objectives – All incidents should be managed and stored in a single management system – All incidents should subscribe to a standard classification schema which is consistent across the business enterprise – All incident records should be audited in regular intervals to ensure that entries are categorized correctly
Principles and Basic concepts
There are some basic things that need to be taken care of when considering incident management.
Timescales
Timescales should be agreed upon for all incident handling stages, based upon the overall incident response and the resolution targets within SLAs
Incident models
Many incidents are not new; there are some incidents which happen recurrently. For this reason, many organizations find it very helpful to predefine ‘standard’ incident models, so that they can be referred to when needed and applied to incidents as they occur.
There are many reasons for conducting audits, but following are the four most frequent reasons
Regulatory compliance audits
In market sectors such as Financial, Behavioral Health, Medical, and Pharmaceutical, periodic audits are the norm and the guidelines are clear. In any given year, a Behavioral Health clinic in NY State, for instance may be required to undergo 4 separate audits including Medicaid, HIPAA, OMH (Office of Mental Health), and OASAS (Office of Alcohol and Substance Abuse Services). In many of these cases, the auditors show up unannounced or on very short notice.
Compliance audits aren’t technically management audits, but the scores on such audits are certainly a direct reflection of management’s performance. Would your policies, practices, procedures, and documentation measure up to the scrutiny to which a Behavioral Health clinic is subjected?
Performance audits or ‘What’s wrong with our IT operation?’
Often, members of the IT management and staff think they are doing a spectacular job but the customers and executive management disagree vehemently. In the worst cases, end users are preparing their pitchforks and torches in case the audit doesn’t bring about some positive performance outcomes. These audits are tough; the IT staff is defensive and they all assume that the consultants are there to fire them.
During these audits, employees sometimes resign even before the final report is released. This is unfortunate because poor performance is a reflection of management rather than staff. At other times, excellent employees leave because they have had their fill of ineffective management. Frustrations become bitter tears dripping on the conference room table, even from managers.
New management
Sometimes, incoming executives want an X-Ray of organizational performance and requesting an audit is an intelligent professional move. They want a clear distinction between the previous management’s practices and their own and they use the final report to establish a program of organizational change.
IT is too expensive
Occasionally, IT audits are conducted because executive management considers the IT operation too expensive. They want an independent audit and a strategic plan that shows all the viable options.
4 tips for a lower stress audit
If the auditors are coming next week, there probably isn’t much you can do to improve the outcome, but there is plenty you can do to make the process more comfortable for everyone involved.
Answer binary questions with binary answers
When questions requiring a Yes or No answer are met with lengthy explanations, it is a clear indication of a problem. When I ask if you have documentation of your daily security log validation, just say yes or no! If you don’t have the required documentation, no amount of explanation is going the help. Also, I am not really interested that you are going to begin implementing your security program next month. Good for you, but I only care about what your actual practices are at the time I ask.
Don’t lie, embellish, or bury information
I always walk into audits and assessments taking a neutral, objective stance and I appreciate clients who don’t try to pre-program me. I will selectively ask for evidence or documentation for every statement you make and false statements will certainly damage your credibility. When subjects provide evasive or ambiguous answers, my inner Columbo puts on his trench coat. Equivocation and rationalization drive me to keep searching until I get the answer. Just tell the truth.
Instruct your staff to cooperate politely
I recall one compliance audit where a staff member served up every document request with a plate full of anger and hostility. The odd thing about it was that all her ducks were in a row, which is pretty unusual. So, why the anger? Don’t unleash it on the consultants.
I remember several engagements where the IT staff tried to tell me that their IP addressing schemes and Visio diagrams were secret. Huh? As soon as I retrieved my jaw from the floor, I went over their heads and arranged for delivery of the requested information. These events created suspicion and hostility that weren’t required.
In two organizations I contracted with, staff members claimed their Security Policies were secret! How does that work? These sorts of behaviors are indicators of significant departmental and organizational problems.
Prepare documentation in advance
All documentation including policies, procedures, infrastructure documentation, logs, hardware and software inventories, PSA system reports, etc. should be readily available for the consultants. They will ask to see it. I generally ask for all this information before I go on site for the first time and I am always appalled by the number of organizations that have none of the documents that are generally accepted to be components of a solid Information Technology Governance program. Sometimes these data dumps include reams of irrelevant information in the hope that I won’t find the smoking gun.
Auditing for organizational culture
I include a frank assessment of departmental and organizational culture in my reports and it is sometimes less than flattering. Delivering this information to executives and managers generally creates a tense silence while they try to chew and swallow that particularly tough piece of meat. They rarely argue because they know it’s true, but few have dared to state the obvious out loud. A realistic and objective assessment of company culture is required to address the root causes of problems. Bad management, inefficiency, malfeasance and incompetence have often been enabled for years before an audit is finally initiated. Interdepartmental politics, turf wars, jealousy, meddling and backstabbing all contribute to the problems at hand and managers throughout the organization are responsible.
In many cases, executives and managers have worked in large, bureaucratic organizations for their entire careers and they can’t see the signs of broken company culture. They think bad behavior and dysfunction are the norm.
The final report
If the final report is not a testimonial of glowing praise for your IT operation, I urge you to sit back and reflect carefully before lashing out. The report is a mixture of data, facts, and input from your coworkers and end users. I always base part of my conclusions on both formal and informal interviews with end users and managers from every department in an organization. What ends up in the report is a reflection of what your colleagues really think about your operation. My career started with a four-year stint in army intelligence and I actually do cross examine and interrogate. The natural inclination of some IT Directors is to argue and pick apart every statement and conclusion in the report, but this is definitely the wrong approach.
A nearby local government entity with which I am familiar recently received a failing audit from a state regulatory agency. It wasn’t a first-time fail and the endemic problems have been simmering for decades. Several executives from this entity made statements to the press that the audit “was a gotcha audit. It’s all about paperwork and there is nothing real here. We’re providing excellent services.” Talk about denial! I believe they will come to regret those statements since the infractions were extremely serious and they will likely have to return millions of dollars to Medicaid. They may call a missing signature “a gotcha,” but Medicaid calls it fraud. Their culture is so broken that they really need a turnaround expert and complete replacement of the management, but they haven’t reached rock bottom yet, apparently.
In recovery
The correct response to a failing audit is to contemplate the report carefully and develop a proactive remediation plan immediately. Humility may save your job, but you can’t step off onto the recovery road until you admit you have a problem.
Ask for help. Operations that have been dysfunctional for years can’t be turned around overnight. Organizational culture may inhibit a turnaround and objective, external assistance may be required.
Listen to what your colleagues and objective auditors had to say and take it seriously. Don’t go swimmin’ in denial.
