by Don Byrne, CBCP, CDCP, CBRO-M, Lead Auditor, Adjunct Professor, Boston University
The following is a list of the questions submitted during the Career Options and the PS-Prep Program, which was held on 27 July 2010. This event was hosted by the Association of Contingency Planners, ContinuityCompliance.org, North River Solutions, and Metrix411.
It is one in a continuing series of educational webinars.
You are invited to post comments here. If you have further questions, consider contacting Don Byrne at dbyrne@NorthRiverSolutions.com.
Professionals interested in this topic are invited to join the LinkedIn group “PS-Prep Career Forum.”
Q. As a consultant/contractor what would be an average deployment for an audit?
A. The length of an audit engagement depend on the size of the organization, the complexity of the business, if the audit is a multi-location or concentrated in one site, the maturity that the organization shows in terms of its business continuity plan, etc.
While ANAB has not published any guidelines as to the expected duration of an audit based on organization size (which does exist in some standards like ISO 9001!), you can assume that most CB/Rs (certification bodies/registrars) will attempt to have the audit run no more than one work-week.
Many audits can be conducted in 3 -4 work days. Shorter periods are not as profitable and CB/Rs take this into consideration when quoting projects. As a general rule, an audit lasts at least 2 days, not including the Stage 1 document review period. Trying to complete an audit in one work-week or less is more an expense consideration than anything else since everyone wants to avoid paying for “down period” weekends and/or travels to and from the site over a weekend period. Plus, auditors are generally booked out 3 – 6 months in advance. Since long engagement periods tend to interfere with this type of scheduling, efforts are made to avoid multi-week engagements.
For larger audits, trying to follow this guideline might mean dispatching 2, 3 or more auditors to the client facility along with an appropriate set of subject matter experts (SMEs).
So, while multi-week engagements do occur, they are more the exception than the rule.
Q. What is the difference in role of the auditor and PS-Prep consultant?
A. Auditors are charged with ascertaining compliance with a standard. They cannot offer advice nor are they trying to find problems. The goal of the auditor is to simply measure compliance to the terms and mandates of a standard.
Consultants are hired to help uncover gaps, propose solutions, assist with training and plan testing (thought exercises and other techniques) and provide advice on policies, procedures, strategies and tactics. They may or may not be trying to (or trained to!) ascertain compliance with a standard. Instead they are usually reacting to a statement of work that outlines the goal of the engagement. These goals may involve helping to prepare to be compliant with a standard as well as meeting other goals such as proposing and perhaps implementing cost effectively measures for achieving stated activities (e.g., reduced wait time for the customer service group).
Q. What is the difference between a Certification Body (CB) and Registrar (R)?
A. In reality, there is no difference other than the use of one term over the other. There is a slight historical difference but in all practical ways, there is no difference and the terms are interchangeable. In fact, many CBs refer to issuing a certification document as a registration event.
Q. What is the range of salaries for PS-Prep Auditors and contracting rates for contractors?
A. As was mentioned by Randy Pittman of NQA during the webinar, contractors are generally paid between $300 and $500 per day, plus expenses. Full time employees are paid competitive salaries but given the additional benefits they receive plus the guarantee that comes with full-time employment, their salaries will be more in line with comparable positions in private industry.
Q. Having done financial audits, where can one find an audit program that an auditor would follow?
A. Each CB/R uses an audit module of their own design. This generally consists of the core elements of whatever standard is being audited augmented by the specific policies of the CB/R. For example, a checklist of issues they want covered in the opening and closing meetings, etc. So, the CB/R supplies the audit module and the Lead Auditor, in consultation with the audit team, will customize the module and produce a specific audit plan that is presented to the client.
Q. In regards to the question about training for veterans…maybe if the Linked in forum posts this as an open question, someone from DHS or other agency might respond.
A. This is a good idea and we will do this. In addition, Doug Moore has consented to use his contacts to escalate this issue and bring it to the attention of various groups he is working with on other projects that are designed to help find employment opportunities for veterans.
Q. What auditor would sign their name to a document saying that a firm’s plans mean they can recover from a hazard being exploited?
A. The complexity of the client’s environment and the scope of the area they want to certify, will define the type of audit team that is dispatched to the site. If someone is only certifying a single process (packaging fruit salad) or a specific department (customer service), then this limited scope generally allows the audit to be conducted without involving too many people. Please remember that an audit is a determination of compliance with a standard. It does not guarantee that an organization is able to perform in an emergency; simply that the BCM program meets the requirements as set forth in the specification portion of a standard. This is generally an indication of readiness to deal with the issue covered by the standard but the CB/R does not warrant performance in any way.
Q. Regarding training are there any accredited training programs available now, with the exception of the existing BS25999 that will be acceptable for PS-PREP?
A. Scott Richter of ANAB and Randy Pittman of NQA both made the point that there are no currently available courses that have been reviewed and deemed acceptable by ANAB. Courses that meet RABQSA requirements for some of the standards involved in PS-Prep do exist. For example BSI offers a BS 25999 course that meets RABQSA requirements (including ISO standard 17024) and ASIS has an SPC.1 course that meets RABQSA requirements and there may be others. I am unsure if any of the NFPA 1600 courses are RABQSA approved, but this can be answered by asking the training organization offering the course the question. That said, ANAB has not recognized any of these courses as of now. (See a related question below dealing with an expected RFP from ANAB on this issue).
Q. What opportunities do you see in this field for a retired Police Chief who is certified to teach all ICS courses, certified to teach BCM by DRII, certified Senior Professional in HR, and who has conducted and responded to Government Audits including corrective action plans, and who currently consults conducting computer forensics, IT security, physical security and writing and revising emergency plans?
A. I think the opportunities are very good, especially as part of an integrated Security/BCM program at a company. I think that there are numerous internal audit groups that would be interested in hearing from someone with this background.
Q. Would the daily rate for an auditor include travel expenses or would that be a separate payment by the client or the auditing body the consultant is working for?
A. The CB/R that is engaged to conduct the audit will handle all billing and expenses. Generally, living expenses are addressed as a per diem that is above and beyond the pay rate given to the auditor or SME (subject matter expert). Traveling and lodging may or may not be billed at cost, that is an issue for the CB/R to decide.
Q. Please have Don Byrne repeat the name of the LinkedIn forum. Was the site also IAS.un?
A. The LinkedIn Forum is PS-Prep Career Forum. The site that Scott Richter referred to is www.iaf.nu.
Q. Is there a Certification Body for SPC.1, would it be ASIS?
A. No. ASIS is an SDO – a Standards Development Organization — they have a mission to develop standards and offer them up for industry consideration. ASIS is quite active and has several standards in development at this time including BCM.1 (Business Continuity Management) which is a contender for ISO status. You can contact Don Byrne at firstname.lastname@example.org for more information on this topic.
Q. I am considering becoming an RABQSA Certified ISO28000 auditor since this seems to have many of the same components as the PS-Prep requirements for auditors? Will this shorten the process of being trained in a recognized program when ANAB recognizes a training program for the PS-Prep standards?
A. Yes, especially if the course you take follows the new TPEC format recently approved by RABQSA. Under this new format, Lead Audit courses are divided into three modules which are conducted over a four day period. The first two days are devoted to the standards in questions. The third day focuses on auditing skills and the last day discusses team leadership. Under this new scheme, if you pass the last two modules, you will not have to take them again and recognition of your proficiency in these areas will be granted across all RABQSA courses.
BTW, the difference between an Internal Auditor course and a Lead Auditor course is the fourth day – team leadership skills.
Q. After the roll-out will the government start requiring PS-Prep certification for government contracting?
A. As discussed during the webinar, PS-Prep is 100% voluntary. That said, there are market forces in both the private sector and public sector that indicate they would look favorably on organizations that have a PS-Prep certification. This is a TBD item. As we become aware of any new information relating to this issue we will post an update on this site.
Q. Must an organization certify an entire organization or just an office or division to be considered PS-Prep recognized by DHS?
A. Applicants can apply for certification across a wide or narrow scope. In fact, it is generally advisable to start with a limited area and then consider expanding. One organization recently used a UKAS (not ANAB!) accredited organization to certify a 7 person department to BS 25999. This type of limited certification is common. For example, many organizations that certify to ISO 9001 will focus on their production or manufacturing department and not have their HR or finance department fall under the scope of the certification.
Q. I am an IRCA Certified ISO27001 auditor; is this credential recognized under the PS-Prep program? What additional specific training might I need?
A. Your training and background is excellent for this area. Depending on what the CB/R requires you may only have to demonstrate competency in the standard(s). This is an individual CB/R policy question.
Q. The ads for the DRII/NFPA Lead Auditor Certification credential states that it is recognized under the PS-Prep program. Are you saying this credential is not?
A. This question is best directed to DRII/NFPA. As Scott Richter stated, ANAB has not approved any courses yet. It is possible that these courses will be recognized over time but that is an ANAB decision and not something we can answer. Again, start by asking the question, “Is this an RABQSA approved training program?” and continue the discussion from there. Another way to ask the question is “Does the course meet the requirements of ISO 17024?” which is the ISO standard governing training.
Q. What specific steps can someone take now to become certified a PS-Prep auditor? Do you have to wait until a certifying body is named?
A. These are two related questions. First, to qualify as an individual auditor, you will need to take training that is recognized by ANAB for that purpose; and as we hear, this does not yet exist. Next, anyone can offer to conduct an audit under any of the recognized PS-Prep standards but only those run by an ANAB accredited CB/R will be recognized by ANAB and DHS. As Scott Richter indicated, he expects ANAB to begin accepting applications in this area by September 2010.
Q. When the BC standard being considered for ISO is formal, what will the impact be on organizations’ certifications, on CBs, and those who are pursuing auditing careers?
A. Well, the formal answer is, “We don’t know!” That said, currently DHS has recognized three (3) standards under the PS-Prep program (SPC.1, BS 25999, NFPA 1600: 2007 and NFPA 1600: 2010). There is nothing that stops them from recognizing other standards under the program and an ISO standard would certainly be a contender for such recognition. Don Byrne has written an article on this possibility called “A Fourth Standard?” It is posted at https://www.continuitycompliance.org/ and might be worth reviewing in light of this question.
Q. Lisa mentioned Emergency Standard, BC standard and Organizational Resilience standard. Is she saying NFPA 1600 is the emergency standard, BS25999 is the BC standard, and of course OR SPC-1 is organizational resilience?
A. No. All the PS-Prep sanctioned standards deal with overall preparedness. Her comment was that each have their own area of focus and in that context, in her opinion as an SME, NFPA 1600:2007 treats emergency management more comprehensively than the others. However, each is a very good standard.
Q. Will only CB auditors be allowed to conduct PS-Prep audits?
A. Only CB/R auditors will be able to conduct audits that will be recognized by ANAB and DHS under the program. However, anyone can conduct an audit and many companies start by conducting self-assessments which can be considered First-Party audits.
Q. Will there be a time lag in implementing PS-Prep until this training is made available?
A. As mentioned by Don Byrne and Scott Richter, the entire program is expected to come together in Q4/ 2010 which is the first quarter of the federal government’s fiscal year.
Q. Why has ANAB not chosen a training program?
A. Given the nature of this project, ANAB is expected to release an RFP at some point in the near future for the development of one or more training programs in this area. An RFP was actually released by ANAB earlier in the year and then withdrawn. Recently, ANAB has solicited information on training programs and this is what Scott referred to during the webinar. When that will happen is up to ANAB and they haven’t made any statements beyond their goal of being ready to accept CB/R applications later this year.
Q. For consultants, is it advisable to get auditor training?
A. Yes! Such training will enable you to have a better understanding of what an auditor will look for during a compliance review.
Q. Please dispel rumors that BSI and DRII have training courses that are recognized by ANAB.
A. Scott Richter and Randy Pittman both indicated that no recognized training programs currently exist.
Q. Are there any registrar’s interested in supporting this standard?
A. Yes! Scott Richter indicated that ANAB has already met with 8 CB/Rs who have expressed an interest in the program and he expects that over time a total of between 15 and 20 will apply for accreditation by ANAB.
Q. How will lead auditors be developed/certified?
A. The training programs that are being discussed will be Lead Auditor programs. That said, each CB/R has additional requirements for granting this status to contract auditors and their own staff, so it is a CB/R by CB/R issue.
Q. So what are our next steps to become certified as a PS-Prep auditor?
A. Stay involved in the Linked In forum and watch for announcements on www.continuitycompliance.org.
Q. As a consultant wanting to help companies prepare for certification, what training should I get to be able to support them?
A. As mentioned above, attending ANAB approved training courses is a great way to start. You might also look into some of the self-assessment tools that are coming onto the market.
Q. How does DRI Auditor Training and certification transfer into ANAB Auditor requirements?
A. Scott Richter indicated that ANAB was not going to specify any individual certification requirements for conducting audits. ANAB is leaving that up to the CB/Rs. Randy Pittman outlined what experience and skills his organization, which is typical of other CB/Rs will look for when interviewing candidates.
Q. What advantage does some one have of being hired if you can also bring specific subject matter expertise to table, i.e. supply chain?
A. Clearly, expertise in one or more industries and specifications is an advantage. An understanding of supply chain issues may help qualify you for another standard, the ISO 28000 series. Of course, training in this area would be required but it might be something you want to investigate further.
Q. Has BS25999 certification resulted in a large number of opportunities? What is different with PS-Prep?
A. To date there have been around 200 certifications to BS 25999 granted by the six UKAS approved CB/Rs. Most of these were outside the US. This number should expand significantly once ANAB opens the PS-Prep program which is expected to happen later this year.
Please keep your questions coming and comment on these responses!