Throughout ISO management systems, there is a reliance addressing your organisation's risks and opportunities. These should be relevant to the context of your organisation as well as any interested parties.

You should ensure that your organisation has applied a risk identification methodology consistently and effectively. This is very important and at the heart of all four of our ISO standards which all take a risk-based approach. Indeed, in ISO 9001 alone, reference to risk-based thinking is present in all of the following clauses:

• Determine and address risks (Clause 4.4.1);
• Promote risk-based thinking (Clause 5.1.1);
• Ensure risks determined and addressed (Clause 5.1.2);
• Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
• Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
• Control those risks identified (Clause 8.1);
• Evaluate effectiveness of actions on risks (Clause 9.1.3);
• Review effectiveness of actions on risks (Clause 9.3.2);
• Improve the quality management system responding to risk (Clause 10.3).

ISO defines a risk as the ‘effect of uncertainty on the expected result’. Effective management of risk is talked about well in advance to ensure there are less surprises, improved planning, effective decision making and better relationships with stakeholders. Effective management of risk leads to better performance, continual improvement and increases customer satisfaction. Opportunities are considered the positive side of risk which is why ISO 9001:2015 focuses on reducing risk and identifying opportunities.

External and internal issues, and relevant needs and expectations of relevant interested parties, may be sources of risks. All management system processes represent differing levels of risk in terms of your organisation’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organisations.

Risk and opportunity register

While not mandated by ISO 9001, ISO 14001, ISO 45001 or ISO 27001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organisation to assess the risk in context with the overall context of your organisation, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:

• Strategic level - risks and opportunities associated with the local, regional, and global economic, social, political, cultural, regulatory and competitiveness, key stakeholder strategies or strengths and weaknesses in attaining objectives.
• Operational level - organisational structure and culture, existence of any operational constraints, business resilience vulnerabilities, issues relating to recent change management, stakeholder community concerns, regulatory and contractual requirements and constraints.
• Process level - stability of IT systems, human error, measurement and inspection failures, environmental or workplace safety, mechanical failure, process quality, internal controls and compliance errors, ineffective processes with poor performance metrics, or process controls not functioning.

The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
​

• Description of the risk;
• Risk type (business, project, stage);
• Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
• Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the business;
• Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans;
• Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken;
• Current status of whether this is a current risk or if risk can no longer arise and impact;
• Other columns such as quantitative value can also be added.

When implementing an ISO management system, you should check whether your quality, environmental, health & safety and/or information security policies have been communicated and understood throughout your organisation. The policies must also be available to any relevant interested parties.

If the personnel interviewed do not know what their measurable objectives are and/or do not know what the organisational objectives are that they have a direct impact upon, then you might need to evaluate the communication of your policies and objectives.

Inferred awareness through knowledge of procedures is not considered sufficient - otherwise why have the requirement in the first place? A quick and convenient way to promote and communicate the policy might be to create a shortened version of the main policy - try condensing it to five key words or even a couple of short sentences. This can be posted on bulletin boards, for example.

You could even add it to the reverse side of staff security passes or ID badges. The point is that you need to determine if your policy meets the intent and are understood. The exact content of policies does not need to be recited by individuals, but an awareness of the policies and how their job affects the company objectives is what you’re aiming for.

Organisational roles, responsibilities and authorities

Each employee needs to know who is responsible for the various elements of your management system to ensure a successful implementation. Develop an organisation chart and create job descriptions in order to clearly define roles, responsibilities and authorities and communicate those responsibilities and authorities throughout your organisation.

You should develop and make available to all employees a list of key personnel and their job descriptions, responsibilities, along with an organisational chart of key employees as they relate to your management system. This should effectively define, document, and communicate the organisational structure of the management system.

There is a need to demonstrate that there are identified staff who are responsible for ensuring parts of your management system is being properly taken care of. The sort of actions to think about might include:

• Communication of roles, responsibilities and authority;
• Processes and procedures to fulfil requirements are adequately resourced;
• Awareness of expectations is demonstrated in all relevant levels of the organisation;
• Reporting on the operation (e.g. results of audits and inspections) and performance of the management system (e.g. in business meetings, KPI reviews, etc).

You should ensure that your organisation’s personnel have not only been advised of their management system responsibilities and authorities, but also that they understand these in the context of the overall purpose of the management system. You should also ensure that Top Management have assigned responsibility and authority for preserving the integrity of the organisation’s management system during changes (e.g. developing a new product or service line, moving premises, etc).
​
​If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

ISO 9001:2015 requires your organisation’s quality policy to be appropriate to both its purpose and context. This means that once your organisation has determined its context and the relevant requirements of its interested parties, Top Management must review the quality policy in light of that information.

You should review your organisation’s existing quality policy to determine whether it is appropriate to the context of the organisation and its purpose, that there is a commitment to continually improving the quality management system, and the quality objectives are consistent with the quality policy. Top management should demonstrate that the quality policy is compatible with the strategic direction and context of the organisation, as required by Clause 5.1.1 b.

Your organisation will need to review its policies as necessary to ensure that any changes in context, interested parties or their requirements is reflected in the quality policy and whether your organisation’s objectives are affected (6.2.1 a). The policy does not have to include objectives but should create a framework for establishing them.

The policy should be stated in such a way that it shows you are working towards continual improvement. It should be reviewed and possibly revised to meet higher aspirations. Develop and implement a policy that is consistent with the company’s codes of conduct and business practices. The policy should be signed by Top Management and commit to:

• Preventing process loss or quality impacts;
• Complying with obligations and legal requirements;
• Promoting continual improvement;
• Adopting best practice;
• Creation of measurable and achievable targets for performance improvement;
• Providing resources to achieve targets;
• Communicating and consulting with all stakeholders regarding the QMS;
• Meeting customer requirements.

The standard does not require that the quality policy includes the words ‘continual improvement,’ however it must be clear that processes of continual improvement are implied and known throughout the organisation. To meet the intent of this clause, you simply need a clearly defined management system quality policy that is sufficiently detailed to provide a framework for the subsequent objectives which can be monitored for continual improvement.

It’s there to assist an organisation in meeting their business objectives, better customer satisfaction and eventually more market share, which, in time, brings more profits for the organisation. For multi-site/corporate certifications, the policy must be applicable for all sites and be fully integrated with the objectives.

​If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Customer focus involves determining customer requirements and ensuring that processes exist to meet the requirements and achieve customer satisfaction. Enhance customer satisfaction by ensuring that customer requirements are identified.

The principal message that Top Management must convey is that the objective of the business is to satisfy your customers by ensuring a process exists to achieve the following:

• Identifying customer requirements;
• Meeting customer requirements;
• Enhancing customer satisfaction.

When auditing customer focus, you should assess whether customer satisfaction is adequately determined and whether appropriate corrective action is undertaken when things go wrong.

The customer feedback process should be audited as a process in its own right and not just as a clause in the standard. Determine how this process is planned, implemented and improved as these factors will affect the processes’ ability to provide meaningful information about the effectiveness of the management system.

Top Management must also ensure that customer and applicable statutory and regulatory requirements are identified and consistently met and that the focus on enhancing customer satisfaction is maintained.

Top Management must also determine and address the risks and opportunities that can affect conformity of products and/or services and the organisation’s ability to enhance customer satisfaction.

You should seek and record evidence that Top Management is taking a ‘hands-on’ approach to the management of the management system, so be prepared to constructively challenge Top Management’s commitment.

Top Management’s commitment can likely be demonstrated by their actions, and by their views on the what the Management System policies mean to the everyday activities of your organisation, as well as policies’ relationship with your organisation’s strategic direction.

• Are Top Management attending management review meetings?
• Do they support the QMS Manager (or equivalent) during day-to-day activities and with improvement initiatives?
• Do they lead the way and take accountability for the effectiveness of the QMS?
• Have they ensured that responsibilities and authorities for relevant roles are assigned and understood?
• Have they ensured that responsibilities and authorities are communicated?
• Have they established, implemented and maintained policies and objectives?

​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Whichever management system you put in place, Top management must ensure that the requirements of the management system, including the policies and objectives, are consistent with the strategic context and direction of your organisation, and that the policies and objectives are established whilst ensuring that the human and financial resources needed for implementing the management system are available.

Top Management should take a ‘hands-on’ approach to the management system during interviews and whilst recording compliance to other requirements e.g. determining organisational context, policies, objectives, management review minutes, provision of resources etc.

• How are policies and objectives established?
• Do they align with the strategic direction and the organisational context?
• How are policies and objectives communicated within the organisation?
• Can you demonstrate how policies are understood and applied?
• How are the requirements of the Management System integrated into the business processes?
• How is awareness of the process approach promoted?
• How are resources determined?
• How do you communicate the importance of effective Management System management, and conforming to Management System requirements?
• How do you ensure that the Management System achieves its intended results?
• How do you engage, direct and support people who contribute to the effectiveness of the Management System?
• How is continual improvement promoted?
• How are other relevant management roles supported to demonstrate leadership in their areas of responsibility?

Without solid management commitment, you will not have a successful management system. This is not a commitment in words, it is the continuous and active demonstration to everyone in the organisation that the need to meet customers’ expectations is vital. The actions required of Top Management must include:

• Supporting the management system and actively promoting the agenda;
• Encouraging the goal of meeting customer, regulatory and statutory requirements;
• Developing and supporting the management system by defining and communicating policies;
• Establishing organisational objectives;
• Ensuring appropriate resources are available;
• Implementing and improving the management system by encouraging employees to achieve requirements;
• Reviewing management system performance;
• Ensuring resources are available to improve the management system.

​
If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.
​
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).