What if Contingency Plan does not achieve the Recovery Goal?

[Fadhilah Cholish Azhari]

Hello,

I wanted to ask for contingency plan.

If we conducted the contingency planning according to the framework (Business impact analysis, alternative strategies, etc.) but after develop the contingency plan, the alternative strategies, and simulate the strategies we could not acheive the recovery target (e.g Recovery Time Objective exceeds the Maximum Tolerable downtime) due to lack of resources.
Does that considered as a non-conformance by the IATF Auditors?

What if we plan for the improvement? Does that make the complying the contingency plan requirements?

 

[Jen Kirley]

This is not a nonconformity - on the contrary. It seems to me that your process is working. Risk-based planning activities that uncover an opportunity for more resources should be reported in Management Review, appropriately responded to, re-evaluated for adequacy and then - assuming the outcome is satisfactory - consider the matter concluded.

 

[Randy]

The only time it would be an NC is if you didn't do anything to fix it. Sometimes plans don't work.

 

[Sidney Vianna]

Does that considered as a non-conformance by the IATF Auditors?

If I were the auditor delving into the issue, I would investigate what kind of resources were not made available and why. If the conclusion were top management were derelict or negligent in providing such resources, I most definitely would trigger a CAR, since there are clear requirements in the standard for such top management to provide the resources for the QMS. Even more critical in the case of a recovery scenario, where (typically) something already went awry and customer(s) have been impacted.

 

[Fadhilah Cholish Azhari]

If I were the auditor delving into the issue, I would investigate what kind of resources were not made available and why. If the conclusion were top management were derelict or negligent in providing such resources, I most definitely would trigger a CAR, since there are clear requirements in the standard for such top management to provide the resources for the QMS. Even more critical in the case of a recovery scenario, where (typically) something already went awry and customer(s) have been impacted.

So basicly, the CAR probably not refer to contingency clause, but leadership clause?

Am i correct?

 

[Jen Kirley]

So basicly, the CAR probably not refer to contingency clause, but leadership clause?

Am i correct?

I believe you are, yes.

 

[Sidney Vianna]

https://committee.iso.org/files/live/sites/tc176/files/PDF%20APG%20New%20Disclaimer%2012-2023/ISO-TC%20176-TF_APG-Resources.pdf

Resources is something that is covered in several places in the standard. It is very hard to pinpoint a potential specific clause of the standard based on the limited information you provided. Nevertheless, failure to provide resources to address the achievement of a recovery goal COULD be assigned to top management, IF that were the case following the audit trail/investigation.

 

[Fadhilah Cholish Azhari]

Thank you for the answers.
Really helpful

 

[Ashland78]

The only time it would be an NC is if you didn't do anything to fix it. Sometimes plans don't work.

Yes, as long as that is documented in a procedure that this complies. Even if it says this is considered a contingency plan for our organization.

 

[Sidney Vianna]

Yes, as long as that is documented in a procedure that this complies.

So, if the procedure says top management can disregard the provision of resources, even when the standard states they are responsible for it, you would be ok with that?

You already have a quality problem, otherwise you wouldn’t have a recovery action in course. And you want to promote the idea that a procedure can create a loophole for escaping accountability? I don’t agree with that.