Guildford (Work), Holiday Inn and Mobile Broadband

Another assessment job and another hotel. The best assessment experience (again no names of course) was from a small unit involved in a design activity. One of the controls they had was a checklist to cover the key checks to be made and they didn’t have any completed checklists to show me. The approach appeared to be Complete it; Sign it; Bin it. Can you believe it! Something new every job!

The hotel – another Holiday Inn – always the same and always different. Not bad but probably due to the area expensive. My meal tonight with a free desert and coffee came to about £25. A bit steep I think. Still – I think I can give it 3 stars out of 5.

Mobile Broadband. Having ditched the 3 dongle due to poor cover and more importantly their complete inability to be able to let me use my credit card over the Internet to buy more time I am now with Vodafone. Cover still not good (but I am on the bottom floor of the hotel) but I do have a “poor” 3G signal that has allowed me to function without too much problem. Looking good I think.

Risk Management

Just a few notes on Risk Assessment and Risk Management in response to enquiries and my work in this area.

A quick Google search has turned up a project management related Blog that looks good at first glance – OnProjects

Also try the source itself – the OGC

Also try the Wikipedia entry

The key message is that ant good risk management system will follow the obvious steps:

Identify what you are trying to protect

Identify what can go wrong

Determine the impact of failure

Identify the likelihood

Risk = Impact * Likelihood

Identify possible ways of reducing risk

Select based on cost effectiveness to reduce the risk to an acceptable level. Get management approval of the residual risk – it might make then realise what could go wrong and therefore provide more resource!

Risk Management options – Control, Avoid, Transfer, Accept

Te key thing about risk assessment and risk management is to keep it in focus. Don’t just identify risks and forget about them. Schedule reviews to keep the picture current.

Quality Management – Records

Again no hints of the organisation(s) where this issue has sparked a bit of a campaign.

I see lots of people doing good things in their organisations, but for many they forget that sometime in the future they may need to look back to what they have done. When contracts are reviewed, authorisation of major spend or design activity etc. I see so many organisations keeping the key records in personal e-mail. Now, I accept that for most organisations this stuff is backed up but for me the question is how are you going to find it? This is a real practical problem that has many relatively simple solutions.

As always I go back to ISO 9001 – A documented procedure shall be established to define the controls needed fo the identification, storage, protection, retrieval, retention time and disposition of records.

Do I need to make this more simple? So just do what it says…

Social Engineering

I recently witnessed some great examples of Social Engineering – gaining information from organisations that is not normally made public. This was listening to someone on the phone trying to get the names and contact details of some influential people.

One of my favourites was the line: “I have a note in my diary to give nnn a call…” this makes it all official and implies that the call is to some degree expected by the recipient. Try this the next time you want to make a high level complaint to the chairman of a company!

Another was asking to be put through to the big names PA and then asking for the e-mail address so that you can send a social invitation. Once the rapport is there you never know what else you could discover.

A final thought – in some environments carrying a pizza delivery box can be another route to get into a building.

Let’s keep things safe!

Another Day Another Management System

Today was a Stage 2 Assessment of a small company quite local to where I live (Monmouth South Wales). This was part of my work for LRQA as an independent subcontractor. My own company is Ashton Management System Services Ltd – a bit of a mouthful but we do what it says on the tin – provide services to my client’s management system. Much of my work is as a assessor for LRQA covering ISO 9001 and ISO27001.

Still, what about today. Obviously no customer details but I reckon I always learn something from an assessment or audit. Today was no exception.

Small firms always stretch the boundaries of ISO 9001, but there is always a way of working that conforms to the standard, without excessive bureaucracy and still adds value to the business. The simple message is that in managing business relationships, having a clear understanding of the requirements can only be a good thing. This is one of the common threads in ISO 9001 but one that is too often a bit of a failing. There is the tendency to leave things just a bit too informal and this can so easily lead to mistakes.