Locking Down Remote Audits

In his latest blog, Dave Conway discusses how remote audits are demonstrating ongoing compliance for FM Conway management systems.

Certified management systems are a key requirement for businesses these days.

So, what are management systems? They are a framework for managing and continually improving the company policies; a uniform collection of procedures and processes to ensure consistency and compliance. They include strategies for setting and achieving goals, ensuring optimisation of processes, and, enforcing review and learning.

Our primary clients are highways authorities and councils. We work as Principal Contractor for such authorities and additionally, we work as a sub-contractor for major civil engineering contractors.

Almost all our clients require us to have proven management systems in place before they will put us on their tender lists. They usually require these systems to have been independently audited and approved by a recognised certification body. A management system audit is a systematic examination used for verifying objective evidence of processes, to assess how successfully processes have been implemented, for judging the effectiveness of achieving any defined target levels, to provide evidence concerning reduction and elimination of problem areas.

FM Conway has used the British Standards Institution (BSI) as its independent certification body for more than 25 years as they are internationally acknowledged as the foremost provider of such services as well as being the UK’s national standards body. Certification demonstrates to our customers, stakeholders, and all interested parties, that our systems meet and exceed international standards.

BSI’s Audits are conducted on a pre-planned basis at regular intervals to ensure ongoing compliance with the requirements of the international standards, ISO9001, for Quality, ISO14001 for Environment, ISO45001 for Health and Safety and ISO 39001 for Road Traffic Safety. These audits are arranged into two annual blocks, each around two-three weeks long, one in spring, one in autumn, and it is essential that we successfully complete these audits to maintain our certification. Failure to maintain the certification would put our ability to work for most of our clients at risk.

The COVID-19 pandemic that swept through the world this spring has presented many challenges to businesses. Traditional audits involving site and depot visits, face-to-face interviews, examination of documentation and records, could not be undertaken in the lockdown and it was necessary to take a different approach. BSI have, for some time, offered the ability to undertake some remote auditing, and following discussions with their experts, it was agreed that we would attempt the entire FM Conway spring audit block on an entirely remote basis.

The audits would cover all four certified management systems over a total of 15 man-days, using a four-person audit team from BSI. Coverage would include three of our asphalt plants and our Highways Electrical scheme, NHSS8. It was agreed prior to the audit that BSI would only use auditors who were familiar with the company and its activities as it would be too difficult to explain the nature and detail of our activities to complete newcomers.

The process was unique in that it was undertaken with both auditor and auditee remote from the works. It was acknowledged from the start that, even with the amazing technologies and communications available, it would be too challenging to expect to ask to see something and it to appear as if by magic!

The approach taken was that each auditor would compile a checklist of evidences, documents and records, on a sampling basis, that they required to see and provide it to me in advance. With 15 days of audit, from four different people, that made for a lot of checklists and an enormous collection of data required.

I would then gather all of the required data, collate it against the checklists, and provide it to the auditor before the specified audit date.

On the actual day of the audit, we would have an opening meeting using Microsoft Teams or Zoom, the submissions against the respective checklist would be explained, and the auditor would then review the submitted evidence against the necessary criteria. During the course of the day there would be contact to clarify any issues the auditor might have with the evidence provided. Sometimes a simple answer might suffice, but usually it required a further piece of evidence to be provided.

This was especially challenging as it would usually require me to make contact with someone else, who might also be working from home, who would then have to access their work systems, retrieve the data, pass it to me… often they would simply send me a hyperlink to the records on the server, for me to retrieve myself...and I would then forward it to the auditor.

The biggest challenge was, undoubtedly, the sheer volume of data that needed to be moved. The BSI auditors are prevented from using data transfer systems such as Dropbox. Our e-mail system has an outgoing limit of around 15mb, so it was necessary to collate the data into packages of 'zipped' folders and send them across as a series of e-mails. For one particular day’s audit it required 22 separate zip folders!

In total, over the 15 days, we transmitted 1,630 files, in 252 folders, a total of 1,770,602,458 bytes of data! Every single piece of it checked for sensitivity and compliance with GDPR rules. BSI agreed to delete all data received upon completion of the audits.

This required the support of a host of Great People. Plant Managers, Compliance Officers, Training Administrators, Central Support, and my colleagues in the SHEQ team, all of whom produced Great Work to enable us to meet the audit requirements.

The end result? We completed the audit programme, addressed every request, answered every query, and came through the process with a clean sheet in all respects. No non-conformities raised, and continuing certification through to the next audit block in the autumn, when we can do it all again!

Let’s hope we’re back to some form of normality by then. The measures we took were effective, but it sure is a hard way to be audited!