API Q1 and Q2 Quality Management Systems Give Organizations Strategic Approach to Business Continuity

Quality management systems help organizations consistently deliver reliable products and services. One way this is achieved is by providing tools and techniques to maintain business continuity during or after a disruptive event.

Business continuity – whether through implementing risk assessments, contingency planning or management of change – are core tenets embedded throughout API Specifications Q1 and Q2.

API Q1, Specification for Quality Management System Requirements for

Manufacturing Organizations for the Petroleum and Natural Gas Industry, is a quality management system for manufacturers that supply products under a product specification for use in the petroleum and natural gas industry. API Q1 meets many of the ISO 9001 requirements, plus additional elements considered essential by the natural gas and oil industry.

Its sister specification, API Q2, Quality Management System Requirements for Service Supply Organizations for the Petroleum and Natural Gas Industries, applies to upstream service supply organizations and is the first international quality management system standard for service exploration and production service providers. The industry-written specification applies to critical activities such as well construction, intervention, production, abandonment, well servicing, equipment repair and maintenance, and inspection activities.

API Q1 and Q2 establish an array of minimum quality management system requirements for organizations in the natural gas and oil industry, allowing these organizations to demonstrate their ability to consistently provide reliable products, manufacturing-related processes or services that meet customer and legal requirements.

Organizations that implement API Q1 and Q2 have an overall strategic approach to mitigate and respond to adverse disruptions, as well as protect a company’s image and business operations. By implementing API Q1 and Q2, organizations show they employ risk assessments, contingency planning and management of change that promote business continuity.

Reinforcing the industry-leading quality management specifications are the API Monogram and API Quality Registrar Programs (APIQR). API Monogram and APIQR are voluntary certification programs that recognize organizations that conform with quality management specifications and/or  product standards and specifications. The Monogram program licenses against more than 70 standards and specifications and requires program participants to comply with API Q1. Under APIQR, program participants can be registered against API Q1, Q2 and other management system standards. Organizations are certified after demonstrating through on-site audits that that they comply with program and specification requirements. 

More than 4,100 organizations around the world are authorized to use the API Monogram and APIQR marks, demonstrating that they have a quality management system that is compliant with the specifications.

Risk Assessment and Management

Under API Q1, organizations are required to maintain documented procedures to identify and control risks that may impact the delivery and quality of products. Risk assessment takes into consideration the severity and probability of a disruptive event, whether that be a natural disaster, pandemic, war or something else impacting an organization directly or indirectly through an exposed contractor/supplier. In the case of product delivery, risk assessments are required to address facility or equipment availability, maintenance, supplier performance and material supply.

API Q2 requires the establishment of a documented procedure to control risk throughout the execution of a service. These procedures address the identification, communication and management of risks associated with services and critical service-related products, work environment, and risk management tools and techniques. Also required is the implementation of mitigation measures to reduce or prevent risk and giving notification to customers that may be impacted.

Contingency Planning

API Q1 and Q2 allow for risk assessments to inform the development of contingency plans. Contingency planning outlines proactive policies and procedures in place in the event of disruption based on assessed risk.

API Q1 requires that an organization maintain a documented procedure for contingency planning based on assessed risk that includes incident and disruption prevention and mitigation measures that may impact the delivery and quality of a product. The contingency plan must include actions required in response to significant risk scenarios to mitigate effects of disruptive incidents; identification and assignment of responsibilities and authorities among all parts of an organization; and the establishment of internal and external communication processes.

Similarly, API Q2 requires an organization to maintain a documented procedure for contingency planning that includes incident and disruption prevention and mitigation measures throughout services and supporting processes of the organization, its suppliers and the customer. Such contingency planning must be documented and communicated to the relevant personnel and updated as necessary to minimize the likelihood or duration of a disruption to service. At a minimum, the contingency plan includes actions required in response to an assessed risk; actions required to reduce effects of incidents causing service disruptions; identification and assignment of resources, responsibilities, and authorities; and similar internal and external communications processes as API Q1. 

Management of Change

Organizational, production or supply changes can impact risk associated with operations. Quality management systems such as API Q1 and Q2 therefore require management of change (MOC) processes to address new risks associated with changes in an organization.

API Q1 outlines an MOC process for an array of changes that may negatively impact the quality of the product. This includes changes in the organizational structure; changes in key or essential personnel; changes in suppliers of critical products, components, or activities; and changes to the management system procedures, including changes resulting from corrective and preventive actions. To ensure changes are properly known by all stakeholders, API Q1 requires an organization to notify relevant personnel and customers, when required by contract, of the change and new risk created by changes that have either been initiated by the organization or requested by the customer.

For its part, API Q2 requires service providers maintain a documented procedure for the MOC process to ensure that the integrity of the quality management system is maintained when changes are made. For the MOC, the organization is required to identify potential risks associated with the change and any required approvals prior to the introduction of such changes.

In addition, an organization following API Q2 must use the MOC process for a number of changes that may negatively impact the execution of a service, including changes or proposed changes in the organizational structure; changes in key or essential personnel; changes in critical suppliers; changes to quality management procedures; changes to the original equipment manufacturer’s specifications, applications, and software for service-related products; changes in approved design; changes including legal, industry, and other applicable requirements; deviations from applicable procedures or requirements on a temporary basis to address a specific situation; and changes in the work environment.

API Monogram and APIQR Certifications

API Monogram licensees are authorized to use the API Monogram Mark and organizations that are registered for API Q1 and API Q2 are authorized to use the APIQR marks to show they meet industry-written standards and globally-accepted quality management system specifications.

By complying with API Q1 and Q2, organizations demonstrate not only an ability to maintain business continuity, but also that they have quality management systems in place to control all operational processes, deliver consistent products or services, manage change and risk effectively and continually improve operations and customer satisfaction.

To learn more about API Q1 and Q2 or become an API Monogram and APIQR licensee/registrant, visit the API website.

Business Continuity 3 : Cascading Risks | #ECC2023 | Energy Continuity Conference

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

In Part One, I described a basic risk-handling protocol. In Part Two , I described the elements of how you turn regular risk-handling into business continuity planning. But of course it’s complicated. Some risks can wipe you out; others are nuisance level; many are somewhere in between. Some risks require specialized expertise to address them, but their consequences are grave enough that you can’t just delegate them to the specialists and then forget about them. How do you focus?

The answer is that you have to distribute risk-handling throughout your organization so that risks are addressed by the right people, but in a way that always traces back to top management (who have, after all, final responsibility for the organization as a whole). Let me talk about it.

Back in Part Two I said that each member of the Executive Team has to go back to his (or her) people to work out the details of that area’s approach. That step is the key to setting up a system of cascading risk management.

After all, even though business continuity affects everyone, there will always be some actions or some risks that are specific to a particular department or to a particular kind of disaster.

• In case of fire or flood, your operations functions have to think about shutting down their work in a controlled way and getting to safety. Your warehouse function (if you have one) has to think about how to protect your inventory. But your office functions may be able to resume work remotely (once they have all gotten to safety), provided they still have access to your network.
• In case of a pandemic, there should be no significant risk of physical destruction, but you may have more concerns around isolation or availability of personnel.

So yes, you have to start at the top. And the risks you track at the top level are the ones that can wipe you out. But then the members of your Executive Team go back to (let’s say) the middle managers who work for them, to do two things:

• Figure out in detail how to implement the overall strategic approach. (All these steps should be traceable back up through the elements of the high-level strategy.)
• Do an independent risk analysis at that level to see if there is anything special to their areas that was missed at the higher level. Use the same method described in Part One —the very same method that the Executive Team already used.

And then the middle managers do the exact same thing again, engaging with their employees at the working level, to achieve the exact same two goals.

Naturally if (during one of these lower-level reviews) anyone discovers a risk that affects a wider group (or even the whole organization) but was accidentally missed, escalate it on up the management chain to where it belongs and then ask everyone to update their work to account for it.

In the end, every unit in your organization—every division, every department, every plant, every team—ends up doing some level of business continuity analysis, and tracking the measures that apply at their level. And every year, the whole organization repeats the analysis: to identify what’s changed and to check if all the defined measures are still correct and current.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Business Continuity 2: From Risks to Business Continuity | #ECC2023 | Energy Continuity Conference

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

I said in Part One that business continuity planning is a part of risk management in general. Specifically, business continuity planning means identifying all the risks that could interrupt your business, or some part of it, and then taking action to mitigate those risks or planning contingency actions in case they take place. The basic approach is exactly what I described in Part One , but a few features are unique.

In the first place, you have to start with your Executive Team. This is not a job you can delegate to the Safety Committee. The reason is that every entity inside the organization—every division, every department, every plant, every team—has to be engaged. They have to contribute to defining how to secure their work (because they know it better than anyone else); and they have to know what to do in case disaster strikes. So you start at the top.

When you start to identify business continuity risks, remember that you are looking for anything that can interrupt any aspect of your operations. This means you have to look not only at your direct operations, but at any support functions: billing, payroll, purchasing, and the rest. It also means you have to think about anything that can interrupt your customers or your supply chain. If you were unscathed by a disaster, but your main customers are out of commission and won’t be ordering for another year, you could have a problem. Likewise with your supply chain.

When you identify a risk, you cannot assign it to just one Owner. This is one of the big differences between business continuity planning and other kinds of risk management. If disaster strikes—hurricane, fire, flood, earthquake, or whatever it is—it’s probably going to strike everybody. So you can’t assign the whole problem to Fred or Max and ask him to figure out a solution for the entire company. Instead of that, each member of the Executive Team goes back to his people (or hers, of course) to determine how they have to secure their parts of the business. Depending on the size of your organization, some of them might have to go back to their people as well, to work out the details. Do whatever you have to do, but come back to the rest of the Executive Team with a plan for your area.

Then the Executive Team as a whole reviews the plans to make sure they are consistent. You can’t respond to a disaster by pulling in different directions: so while every team has to figure out what they specifically need, the plans still have to mesh together. As just a single example, if you are going to tell the office folks to work from home they should all be using the same communication platform to keep connected. If your team is the odd one out, you might have to change your plan a little to align with the rest of the company. Make sure you engage all the people you engaged before, so that everyone understands what’s changed.

Finally, when all the details have been worked out, document your plans in the simplest format possible, and store them somewhere that’s easy to find in an emergency. Remind people periodically where to look. (If you do regular fire or emergency drills, you might be able to incorporate pulling a copy of the emergency plan.) And mark a day on the Executive Team’s calendar—six months out, or maybe twelve—to do the exercise again.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Business Continuity 1: Basic Risk Handling | #ECC2023 | Energy Continuity Conference

Business continuity 1: Basic risk handling

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

It’s a big topic. In a sense it’s a part of risk management in general, though saying that doesn’t narrow it down much. But let me start there.

You probably already have a risk handling system in your organization, so what I say here will all look pretty elementary. Still, I’ll review it briefly.

Think of the Safety Committee in a grocery store. They brainstorm all the ways somebody could get hurt, and then define measures to keep it from happening. If someone breaks a jar of spaghetti sauce in Aisle 3, put up a “Wet Floor” marker and mop it up. Don’t put heavy things on high shelves. And so on.

Sometimes they might think of a risk that’s not very likely: What if a customer brings his dog and the dog bites somebody? Well, OK. It’s true you want to know what risks you face, and (for example) the ISO management system standards all require some level of risk identification. (ISO 9001, ISO 14001, and ISO 45001 all put this requirement in section 6.1.1.) But you can’t prevent everything, so you need to rank your list in order of importance. Then you plan for the ones that really matter, and let the rest go. But what ranking do you choose? Generally there are at least two questions to consider:

• How likely is this risk?
• And how bad will the impact be if it happens?

Anything that scores high on both questions goes to the top of the list. After that, it’s not so obvious. But here’s one simple approach you can take. Please note two things:

• You can use this approach for any kind of risks. Just now I was talking about safety risks. But your marketing team can do the very same thing with competitive risks. Your engineers can use this approach (or a more sophisticated version of it) as an FMEA (Failure Mode and Effects Analysis) to think through product or operational failures. Your shipping department can do this to evaluate different logistical methods. It is a very general and very powerful tool.
• There are a lot of ways to make this approach more sophisticated, depending on the needs of your organization. What I describe here is the simplest possible version.

Step one: Score all of your risks according to how likely they are, using just three values: High, Medium, Low.

Step two: Now score all of your risks according to their impact—how bad things would be if they happened—using the same three values: High, Medium, Low.

Step three: Use these two scores to calculate a priority for each risk, using the following formula:

Priority = Likelihood x Impact

On this scale, for example, “getting bitten by a customer’s dog” would probably rank Low for likelihood but potentially High for impact, for a composite priority of Medium.

Now that you have assigned a priority to every risk on your list, what next? The next step should be to address the important ones.

• What does it mean to “address” a risk?
  • If possible, prevent it.
  • If you can’t prevent it, take steps now to mitigate the impact when it happens.
  • Also, consider how you will respond when it does happen: those are your contingency actions.
  • To make sure this gets done, assign the risk to an Owner, and assign a deadline by when the actions have to be in place. Then be sure to follow up that they really are.

• Which ones are “important”? It depends on what you are doing. At the very least, you should address all the risks with priority = High. But you don’t have to stop there. Maybe you want to address the Medium ones as well, or some of them. Maybe there are steps you can take for a few of the Low risks too, though typically you should think about them last. You have to decide what works for you. But addressing all the risks rated High is pretty much a minimum.

What happens to the risks that you choose not to address? If the store’s Safety Committee updates their list of risks to include “getting bitten by a customer’s dog” and then calculates its priority as only Medium, they might not plan any action for it. So why put it on the list?

The point is that the priority ratings aren’t static. From time to time—at least once a year, if not more often—you’ll review your list to see if things have changed.

• As you take mitigation steps, for example, the impact of some risks will drop and so their priorities will change.
• The impact of others might rise, depending on changes in the outside world. Back in 2019, most American companies who did business continuity planning probably rated “global pandemic” at a very low likelihood; by mid-2020, it had become a fact of life.
• While you are at it, check whether your contingency plans are still correct and current. Is that still the best way to handle this risk, if it comes about? Are the responsibilities all assigned to the right people, or do you have some tasks assigned to a guy that retired last month? And check to make sure your supplies are all in stock and up to date.
• Assign actions as needed, and follow up to ensure the actions are closed on time. 

So even if a risk falls below your threshold and you decide not to address it right now, keep it on the list. Then the next time you review the list—next quarter, next year, or whenever—you can think about it again. And as long as it stays on the list, you won’t forget.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Supply Chain Security | #ECC2023 | Energy Continuity Conference

Supply Chain Security

Managing risk is crucial for reducing supply chain risk. There are several strategies to minimize risks, including risk transfer and risk mitigation. Risk transfer is a strategy whereby companies shift some risks to suppliers, while others remain within the organization. Transferring risks is essential because avoiding risk puts the entire organization at risk. Various tools such as insurance and agreements between vendors can help mitigate organizational risks. However, a vendor cannot fully mitigate risks on their own.

Supply Chain security is more and more heavily focused on digital security and prevention of cyber attacks. For instance, companies providing critical components to the DoD must ensure their supply chain is secure. Cyberattacks can compromise the integrity of information and key industrial processes and degrade commercial functioning. Recent incidents have highlighted the importance of supply chain cybersecurity. A recent ransomware attack on Colonial Pipelines highlighted the importance of protecting sensitive information and developing plans to protect the supply chain from attacks. Those responsible for providing critical components to the DoD should also invest in building resilience against cyberattacks and gaining access to reserve components to meet their needs.

The complexity of supply chains creates a unique set of risks. Supply chain security can fail to protect the supply chain, which can lead to shortages, inflation, and factory closures. Ultimately, supply chain failure can even threaten national security, which is a nation’s ability to protect its citizens. The key to supply chain resilience is to keep up with the challenges of the ever-changing global environment. However, this is not as easy as it sounds. There is a need for more research on the issues of supply chain security.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Environmental Response | #ECC2023 | Energy Continuity Conference

Environmental Response

Environmental Response is the process of addressing contamination of natural and human environments caused by various types of waste. EPA-established guidelines require companies to report hazardous substances and oil releases, and state and local governments may have additional requirements. The problem lies in the fact that response to such issues is often times complicate and difficult to navigate.  This is where pre-planning for know risks is vital.  What need reported if, how will we take immediate action when and who in the local environment needs to be notified.  Not that we expect these failures to occur, but when they do be prepared far in advance.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Workplace Safety | #ECC2023 | Energy Continuity Conference

Workplace Safety

Take a few moments and think about the health and safety programs at your workplace?  Then think about the results of these programs. What are the first few words that come to mind? In an ideal world, words like: secure, protected, prepared and confident come to mind. But if you’re like so many people in the industry, words such as: unsure, nervous, and unprepared, and maybe good enough might come to mind.

When it comes to workplace safety, employee communication and participation is critical and cannot be overstated.  This goes beyond, but definitely includes, a well developed and executed occupational health and safety training program and regular tool box talks.  Engagement with the team, understanding their perception of events and policies is more valuable than best safety assessment. 

Workplace safety has business continuity & disaster recovery ramifications, not to mention the impact on human resources when incidents occur and the ultimate result on job security and productivity.  A well-functioning Workplace Safety program may be your best defense against business continuity disasters.  We’ve seen the role health and safety can play in preventing incidents from occurring and how it can not only protect the lives of your workforce during an incident but ensure workforce stability.  Engage your people early and often and build systems based on a culture of safety and accountability.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Cyber Security | #ECC2023 | Energy Continuity Conference

Cyber Security

Developing an effective cyber security posture requires solid management techniques, often a robust budget, staffing, and ongoing monitoring. Cybersecurity tools and training raise employee awareness of security threats and the need for defense in depth strategies. Careful vendor vetting is another important element of a successful cybersecurity program. The most effective cybersecurity strategies invest in people, processes, and technology to prevent cyber threats. A lack of these elements can lead to an increase in costs, complexity, and staff frustration.

Malicious actors spend days hacking software and looking for vulnerabilities in systems. Cyber Security and Information Technology teams should look at the entire architecture of the computing system and identify the risks and sensitivity of data. The activities are typically concluded with a report on potential vulnerabilities. While the forensics teams are critical in protecting data, it is not enough to install a product that will protect against malware.

Encryption blackmail attacks, also known as ransomware, are a serious threat. Hackers penetrate internal networks via a worm virus and encrypt data using a password only they know. Once they have encrypted the data, the hackers contact the organization, demanding a bribe to decrypt it. Cybercriminals are now the most common form of cyberattacks, and the amount of money spent on cybersecurity is increasing at a rapid pace.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Workplace Violence – Active Shooter | #ECC2023 | Energy Continuity Conference

Workplace Violence – Active Shooter

What is really going on with workplace violence and God forbid active shooter scenarios?  There are no shortage of ideas and theories, but there are some simple facts that are not disputed.  Workplace violence has its origins in the hearts and mind of people, people like you I.  Workplace violence is more common when the culture promotes hostility, or strongly suppresses it under the pressure that has built for years, hence the term “going postal”.  Winning the hearts and minds of our people, being aware of stress and pressure under the surface, and ready to respond when something or someone slips through the cracks is the key to preventing workplace violence and active shooter scenarios.

The first steps include employee screen and background checks, but we all know that these are not full proof, there must be a first incident for anyone.  The same skills and tools we use for workforce stability will be critical here.  Ensure as managers, owners, and operators you truly get to know your team members.  Ensure they are comfortable sharing troubles and concerns that are hampering their ability to person, and ensure you are investing back into their training and development.   

Development of a workplace violence response plan is going to be vital.  The plan should highlight what you can do to stabilize the situation, communicate with employees, and transition into recovery mode.  You may consider investing in armed security and/or select team members to deter someone who otherwise would seek to do harm.  No doubt solutions such as these prevent their own risk, and they must be reviewed and proper continency plans and efforts developed to maximize the benefit. Programs are also available to provide support and assistance for employees struggling with mental health and struggles at home.

At the end of the day the key is going to be to winning the hearts and minds of your employees by building trust and security and being prepared for the worst.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Workforce Instability | #ECC2023 | Energy Continuity Conference

Workforce Instability

Workforce Instability has changed dramatically since the COVID-19 pandemic and the following Great Resignation showed us all how critical an issue workforce instability is.  One of the most critical aspects of improving workforce stability is increasing employee productivity, morale, and retention. All these elements contribute to employee/worker satisfaction and our ability to build and grow the teams and culture necessary to stay competitive in such turbulent times as these.  Consequently, workplace stability can help employers improve the personal stability of their employees, creating a positive feedback loop.

In addition, a business can avoid workforce instability by promoting employees from within. By doing so, it can improve brand value, increase morale, and improve productivity and profitability. For example, if you have a low-wage employee, you might want to consider a temporary employee instead of hiring a permanent employee. Employee retention can be a difficult process, but it can help improve business results. Keeping employees happy and productive is critical to the long-term success of a company.

Our team members, both current and future, are looking to find more value and meaning in their work as well to be better valued and understood.  The soft skills of management have truly never been more important, valuable, and beneficial than they are today.  Sad but true, college education and on the job training does a poor job of teaching these skills.  New ideas, new methods, new training programs like the API Skills are going to be vital for building and training the workforce of tomorrow.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network