An effectively implemented management system aligns the policy with strategic and management system objectives and provides the framework upon which to translate these objectives into functional targets. Establish and maintain documented quality objectives and targets at each relevant function and level within the organisation. The objectives and targets establish an important link between the policies and the management programmes. The objectives and targets must be consistent with the policies, including the commitment to, for example in the case of ISO 14001, prevention of pollution and continual improvement. Depending on the size, management structure, and other factors pertaining to your organisation, the objectives may be established and reviewed by various personnel and with direct Top Management input. Your organisation will need to set their environmental, quality and health & safety objectives for relevant functions, levels and processes within the management system. It is for your organisation to decide which functions, levels and processes are relevant. You should also use indicators to monitor the achievement of objectives. Indicators should have a measurable representation of the status of operations, management or conditions. Each objective should have one or more associated indicators. Objectives can apply to an entire organisation, can be site-specific, or can be specific to individual activities. The appropriate level(s) of management personnel should define the objectives and targets. In some cases, personnel who set objectives may not be the same as those who set targets. Remember that the objectives are the overall goals as reflected in the principles established in the policy. The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success and continued commitment from Top Management and employees will diminish. Consider the factors below, as you begin to formulate your objectives:
Targets must be quantified where practicable and the units that are used to quantify the targets are referred to as Key Performance Indicators (KPIs). A KPI is defined as an expression that is used to provide information about management system performance. The following are some examples of KPIs:
Carefully consider the type of KPI you choose to use. Suppose your organisation establishes a target to reduce its non-hazardous waste by 40% and the KPI you choose is the total tonnage of waste produced each year (tonnes/year). If your organisation triples its production of units and reduces the amount of waste by 50% per product unit, the KPI (tonnes per year) does not show the reduction. In this case, the better KPI would have been the weight amount of waste per product unit (kg per unit). In many cases, measuring against the production units proves to be more accurate. The following is an example of an objective with a specific target and an environmental performance indicator:
Organisations need to establish and maintain one or more management improvement programmes for achieving their objectives. The management improvement programme is a key element to the success of the management system. Properly designed and implemented, management programmes should achieve the objectives and, consequently, improve your organisation’s performance. The management programme must:
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
0 Comments
The objective of Risk Treatment and Risk Mitigation is to identify how your identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Very High, High and Moderate residual risks) and taking relevant action. For each risk, the risk owner must establish an appropriate level of treatment. Control measures in addition to those already existing may be needed to achieve this level of mitigation. Accountable managers should engage with risk owners to develop a satisfactory response for each risk in order to:
The risk owner is responsible for the development of the response. When a response action is completed, the risk should be reassessed to reflect any newly introduced control measure. Monitoring Continuous systematic and formal monitoring of implementation of the risk and opportunity process and outputs take place against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring takes a variety of forms that range from self-assessment, inspections and internal audits, to detailed reviews by independent external experts. Escalation On occasion, it may be appropriate to escalate a health and safety risk to ensure it is assessed and/or managed by the person or party best placed to do so (able and with appropriate authority). For example, where a more substantial or coordinated response is required than the current risk owner can authorise or implement will justify higher level assessment and/or management, as appropriate:
Managing opportunities Your organisation recognises an ‘opportunity’ as a set of circumstances which makes it possible to leverage positive factors and attributes, for example:
Opportunities may be identified as positive effects of risks, as in a risk forcing implementation of a risk reduction measure that is beneficial in a broader context than just reducing a particular risk. For example, health risks may require measures to improve working environment. These measures also create opportunities to attract and retain better qualified employees, improve morale and job satisfaction, and reduce turnover, and so the initial health risk creates positive opportunities to improve the overall job satisfaction. Check that any actions taken to address the risks and opportunities are recorded and ensure that the effectiveness of each action was effective at addressing the issue, and that the action taken was proportionate to the risk or opportunity. Consider the following as useful tools:
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Understanding the risks and managing them appropriately will enhance your organisation’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals. By considering risk throughout your organisation the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product and/or service. Risk-based thinking therefore helps to:
I suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organisation’s transition to risk-based thinking, also using an approach that ring-fences processes into ‘risk themes’ or groups such as:
Risk and opportunity assessment Assessment of the severity of a risk drives management attention and supports planning for risk mitigation. A qualitative risk assessment scheme consisting of qualitative probability and impact scales is undertaken to ensure consistency. Ensure that all accountable managers should engage with risk owners to:
Forecasting probability, cost and time data is about assessing each risk based on the causes and effects described, taking into account the existing controls and active responses. Probability or likelihood estimations should be established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria is about assessing against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort. Risk assessments should be undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. Forecast probability, cost and time data can be assessed for each risk based on the causes and effects described, considering the existing controls and active responses. Probability or likelihood estimations should be established giving due consideration to the effectiveness of existing control measures. The consequence evaluation criteria define the consequence criteria, assessed against potential financial loss, reputation impact, health and safety, legal and regulatory compliance and management time and effort. If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g. appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate). Risk and opportunity identification is a critical activity at both a strategic and operational level. It needs to include all significant sources of risk, including those beyond our organisation’s control. If a risk, threat, or opportunity is not identified, there can be no strategy to address it. The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact our organisation. Risks and opportunities are identified through the use of:
Plan the actions needed to address the risks and opportunities When deciding how to plan and control the management system, including its component processes and activities, your organisation needs to consider both the type and level of risk associated with them. Ensure that your organisation is taking a planned approach to addressing risks and realising opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:
Formal business risk assessment can be performed by the organisation taking into consideration its context, associated risk and opportunities and mitigation plan. The use of the process approach by your organisation can identify sources of input, activities, output, end-user/customer, performance indicators to control and monitor processes, and the risks and opportunities associated with them, and action plans used to address them:
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Throughout ISO management systems, there is a reliance addressing your organisation's risks and opportunities. These should be relevant to the context of your organisation as well as any interested parties. You should ensure that your organisation has applied a risk identification methodology consistently and effectively. This is very important and at the heart of all four of our ISO standards which all take a risk-based approach. Indeed, in ISO 9001 alone, reference to risk-based thinking is present in all of the following clauses:
ISO defines a risk as the ‘effect of uncertainty on the expected result’. Effective management of risk is talked about well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction. Opportunities are considered the positive side of risk which is why ISO 9001:2015 focuses on reducing risk and identifying opportunities. External and internal issues, and relevant needs and expectations of relevant interested parties, may be sources of risks. All management system processes represent differing levels of risk in terms of your organisation’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organisations. Risk and opportunity register While not mandated by ISO 9001, ISO 14001, ISO 45001 or ISO 27001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organisation to assess the risk in context with the overall context of your organisation, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:
The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). |
WelcomeHere you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security. Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...
Categories
All
Archives
April 2024
|