There’s no getting away from it - whichever ISO standard you look at, whether it’s the one for quality, the environment, health & safety, information security, etc - controlling your own supply chain is a major part of the requirements.
And with good reason. In all standards the delivery of your objectives, whatever they are, will undoubtedly rely on the competence, expertise and/or professionalism of a supplier somewhere along the line, from outsourced couriers to accountants.
Quality management, for example, addresses this with the concept of a chain - in this chain everyone in an organisation, no matter where they work in it, is considered a link, and the chain eventually leads to an external customer.
Put simply, if quality is maximised as a product or service moves along this chain, then ultimately the external customer will be satisfied. Changes in customers’ requirements should also be able to be communicated effectively backwards along the chain. These chains stretch back to suppliers, making their role key to the whole outcome of quality for an organisation.
So tor this concept to work in practice, good communications throughout an organisation - and its suppliers - are essential.
Another factor is that, as companies improve their own quality performance as a result of implementing a management system, attention will, eventually, naturally turn to its supply chain a source of ‘variation’ and therefore an opportunity for improvement (notwithstanding the fact that ISO 9001 mandates that organisations shall “determine and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation” of suppliers). So how should this be done?
A practical approach to assuring quality in supply chains is one based on risk. That is, companies assess their supply base according to the risk they present to their end product or service, and apply resources accordingly.
In this scenario, critical suppliers warrant the deepest evaluation (e.g. strategy, processes, systems), monitoring (e.g. tailored key performance indicators) and the most focus on giving those suppliers support for their own improvement. At the other end of the spectrum, transactional suppliers (e.g. cleaners, bookkeepers, etc) only require high-level evaluation, exception monitoring and almost no improvement support.
The first stage to guarantee quality in your supply chain is to assess and approve suppliers on their capability to supply to requirements consistently. Yes, the first step in this stage is for procurement to accept the price range offered by the potential supplier - but then they should be subjected to a supplier qualification assessment. This should be assessing whether the potential supplier has the capability to supply to your requirements.
As an organisation you should consider several criteria when conducting the assessment depending on what it is you deliver to your own customers or clients and what their requirements are. Only through doing it this way do you know if you’ve got a ‘close fit’.
The second stage is the monitoring and improvement of key suppliers. It is always better to plan and prioritise visits to key suppliers, spending more time with the ones that need more monitoring and development. It is also important to let the supplier’s management know what the monitoring and development consists of and how the supplier partnership should be conducted.
The best approach is to work with your suppliers to identify any weaknesses they might have, making sure that they understand and accept your findings, and to assist them in developing possible solutions for improvement.
In addition to better quality of outcomes, you’ll also find that you’ll get an improvement in productivity. This increase in productivity, efficiency and effectiveness will enable the supplier to offer competitive prices to you - so a win-win situation for both! You’ll find that those key suppliers that performed well will be rewarded with some of your increased share of the pie (so more purchase order for them).
And finally, a word about skills and competency in your supply chain. It’s worth noting that more established (usually larger) suppliers will have the resources to hire better staff and also send them out for training and development. Smaller suppliers are not always able to do this.
However, the flip side is that you can often work more easily with smaller suppliers to identify weaknesses and indicate where they need improvement. If you can find a smaller supply who genuinely wants to work with you in a true partnership, this can be worth its weight in gold (so to speak).
What are ISO standards, and what is their benefit to organisations? That's the million dollar question, and one worth exploring before you to the time and effort of implementing them!
ISO the organisation administers over twenty thousand standards in all areas and sectors of industry. But by far the most widely used are these three:
…and this one is becoming more and more popular in the current climate:
The year after the colon is simply a reference to the last time they were updated. All ISO standards are reviewed every six to eight years and at this point they may or may not be updated. The version of ISO 9001 before the current one was 2008 (hence the designation you may have seen ISO 9001:2008). The one before this was ISO 9001:2000. So the actual period of time between a change in standards can vary. There are currently no plans to update the ISO 9001:2015 standard.
When a standard is updated, there is always a lengthy transition period to make any changes. The latest ISO 9001:2015 revision was introduced in September 2015, and companies certified under the previous version (ISO 9001:2008) were told that they had three years to transition. The deadline for ISO 9001:2015 transition was 15 September 2018, which gave companies plenty of time to prepare.
How popular are they?
There are over one million companies and organisations in over 170 countries certified to ISO 9001. There are more than 300,000 certifications to ISO 14001 to be found in 171 countries. Note that these figures are just ones who are certified, there may be many companies operating to these standards but not certified, or who are in the process of getting certification.
ISO 45001:2018 is a new standard, but with a long history. It is set to replace OHSAS 18001 - this was a British Standard for occupational health and safety management systems and compliance with it enabled organisations to demonstrate that they had a system in place for occupational health and safety.
It was born out of a time when organisations worldwide recognised the need to control and improve health and safety performance with an occupational health and safety management systems (OHSMS), however, before 1999 there was an increase of national standards and proprietary certification schemes to choose from. This caused confusion and fragmentation in the market and undermined the credibility of individual schemes.
Recognising this deficit, an international collaboration called the Occupational Health and Safety Assessment Series (OHSAS) Project Group was formed to create a single unified approach. The Group comprised representatives from national standards bodies, academic bodies, accreditation bodies, certification bodies and occupational safety and health institutions, with the UK’s national standards body, BSI Group, providing the secretariat.
Drawing on the best of existing standards and schemes, the OHSAS Project Group published the OHSAS 18000 Series in 1999. The Series consisted of two specifications: 18001 provided requirements for an OHS management system and 18002 gave implementation guidelines.
These requirements were used in many companies around the world, however, they did not have the worldwide recognition that comes with a standard released by ISO, so a new ISO standard was voted upon and agreed by over 100 member nations from around the world. After a justification study the decision was made to release an OHSMS requirements standard from ISO.
In October 2013 the ISO 45001 standard was proposed, and a technical committee was formed, and worked until December 2015. From 2015 to 2017 a first draft failed to gain approval, but a second draft was approved. The finalised standard was published in March 2018.
After this point companies have three years - until March 2021 - to transition over to ISO 45001 if they have an OHSMS in place to the OHSAS 18001:2007 standard, at which point BSI will formally withdraw OSHAS 18001.
So at present it’s difficult to find definitive numbers on how many companies are certified due to the crossover from a British Standard to an ISO, but it’s particularly popular in manufacturing companies and any firms operating in the built environment. Indeed, it’s often a prerequisite to get on the supply chain lists of many large building firms.
Finally, there are around 34,000 ISO 27001 certifications issued worldwide, although this grew by a whopping 20% from 2018-2019 so as a standard it’s really starting to catch up.
So these are the standards we focus on as the key to improving your business.
The huge impact on businesses due to the COVID-19 pandemic has forced many businesses to come up with other revenue-raising ways.
This has sparked a ‘revolution in innovation’ as businesses either deliver their products or services differently or pivot to something completely new.
But businesses don’t have to wait for the next ‘big shock’ to find out whether they have the innovative nous to survive. Adopting a management system now can ensure that moving over to new business practices becomes a seamless process.
The link between business management systems is a strong bond. ISO systems are not just about continual improvement, they are also inherently linked to innovation. And in the current- and post-COVID economy, that’s something we’re going to need more than a small slice of.
Running a business along ISO management system lines means you’re looking for improvement by involving a whole range of stakeholders, from every employee to your clients, customers, suppliers and any other key person or group you’ve identified. You’re always after their views; you’re always gathering market information; you’re a very ‘switched on’ company. You marshal your resources in a way which makes you able to look for improvement and innovation at every level.
Let’s look at the figures: the failure of new products is well documented. For example, the retail and grocery sector sees an 85% failure of new products in the first year. The computer games industry sees around 50% of its sales generated by only 10% of releases.
The failure rate in the music industry is spectacular, with approximately 80-90% of new releases being duds. In the online magazine publishing industry, a massive 80% of new publications fail to last more than 12 issues, and book publishing is a notoriously difficult nut to crack where only a tiny proportion of new releases generate any kind of profit.
Genuine business improvements and new ideas as a result of them are actually very difficult to come across. Just look at confectionary manufacturers and the way they incessantly bring out bigger/smaller/special edition versions of 60-year-old snacks. This tired old formula has now become the template of product and service development in industries right across the board. There is, of course, one fundamental flaw with this process: the vast majority of things created by it fail.
But business improvement and innovation is so important because we are facing a number of key challenges. Globalisation, technological and knowledge revolutions, cultural debate and climate change are issues that face us all at some level. They mean that as well as wanting to improve and innovate in order to improve a process or product and add value, we also have to improve and innovate because there is an overwhelming imperative to do so.
The knowledge-driven economy brings new challenges for business. Markets are becoming more global with new competitors, product lifecycles are shortening, customers are more demanding and the complexity of technology is increasing.
So while the knowledge economy represents new opportunities, certain actions are needed to support and take advantage of these developments.
In the knowledge-driven economy, improvement and innovation have become central to achievement in the business world. With this growth in importance, organisations large and small have begun to re-evaluate their products, their services, even their corporate culture in the attempt to maintain their competitiveness in the global markets of today. The more forward-thinking organisations have recognised that only through such root and branch reform can they hope to survive in the face of increasing competition.
This is why the use of ISOs is so important. A successful business today understands the value of both improvement and innovation, and it knows that while these terms may have different meanings, they are equally critical for long-term business success. Organisations that embrace both methods of increasing business value are the ones that will not only survive, but thrive in today’s competitive marketplace.
Improvements are small, incremental changes that make a business’s goods or services better in some way, whether by reducing cost, increasing value, improving safety, or enhancing quality or satisfaction. They’re typically low-cost, low-risk ideas that can be implemented by the people doing the work all day, every day. Improvements start with examining a current process and asking the question: “How can I do this better?”
The trick is to couple this with innovation, which starts with the status quo and asks: “How can I do this in a whole new way, to achieve significantly better results?” Innovative ideas are ground-breaking, far-reaching, significant changes to business processes that serve the purpose of improving the organisation in wide swathes. But you have to have your business processes functioning properly in the first place.
Food for thought before the next economic shock rumbles inevitably towards us.
“Should I get ISO certification?” - this is a question only you can answer, and really only when you’ve answer the question “why do I need ISO certification”?
It might be that you need it because a client has said it won’t deal with you until you do; or you want to get onto a supply chain list; or your competitors have it so you need to get it to compete.
While there’s nothing at all wrong with any of these reasons, the trouble is they drive a ‘tick box’ industry when it comes to certification. Certification just becomes an end in itself, and simply a side project that achieves certification by ticking off a series of actions in preparation for an audit then ignored as soon as the auditor walks back out of the door and other priorities take over.
Then its back to battling through self-inflicted mistakes and complaints for another 11 months before starting to look at fabricating evidence to show the auditor again in a month’s time. This is an all-too-familiar story.
The main reason you should want ISO certification is the reason they were developed in the first place - to improve your organisation.
The quality standard - ISO 9001 - is used by over one million companies across the world and is revered by large corporations and small firms alike. If it’s applied properly and diligently, then organisations reap the benefits over time.
The only problem with it is that it’s a seriously underused system, mainly because of all of the unnecessary bureaucracy, costs and generally poor implementation which have become associated with the certification of them. But this does not have to be the case. If done correctly it can be, simply put, the most effective way of improving your business.
If you strip away all of the rigmarole surrounding certification, then it can be the level-best way to continually improve your business from your customer’s point of view.
So when trying to gauge if it’s worth it, then this is a really important thing to frame it against.
Due to the nature of ISOs, it can be difficult to work out whether it’s cost-effective - many of the costs fall into the ‘it depends’ category (it depends on your company size, sector, risks, etc) and the benefits will depend on many things so can only be estimated.
“Is ISO worth it?” might be one of those million dollar questions, but in reality it’s more of a “work in, work out” answer. The benefits that are gained will vary greatly on the ISO standard that you implement and the amount of effort you put into improving the management system.
Some of the benefits are not as obvious as they can be harder to quantify. For example, when implementing ISO 9001 we would be looking at your processes and identifying streamlining opportunities, often reducing time and paperwork. Unless you are doing time and motion studies then it will be hard to obtain the cost benefits from these improvements. But you can certainly estimate how much time and money you have saved and see the value from that perspective.
The more focus you place on process improvements the more benefit you will gain - the ISO 9001 standard, as we’ve discussed, is all about continual improvement.
The ISO 14001 standard on the other hand could be easier to justify from a money perspective as you will need to monitor your waste and utilities usages. It is very easy to save money from both with this environmental standard. It is not uncommon for businesses to save at least 10% year-on-year through improvements and just focusing on those areas such as energy reductions.
It’s possibly harder to demonstrate cost benefits with the ISO 45001 standard but there are some businesses that will see the value of this more than others, especially when you analyse time off work through sickness or accidents. If you reduce these and improve the wellbeing of personnel then this will return monetary savings.
Likewise, ISO 27001 enables organisations to avoid the potentially devastating financial losses caused by data breaches. The global average cost of a data breach has skyrocketed to £3.13 million (a 6.4% increase from 2017), according to the Ponemon Institute.
The standard is also designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the EU General Data Protection Regulation (GDPR) and other associated laws.
When you’re looking at costs there’s a lot to take into account, such as implementation costs, employee hours costs and Certification Body costs (IF you want to be certified - you don’t HAVE to be certified).
The Ideas Distillery’s spent a lot time putting together a rough-and-ready spreadsheet calculator - our Cost Benefit Analysis (CBA) tool - to address the main areas of installing an ISO management system, including becoming certified.
The idea is, at the end of the process, you can see the overall costs and compare these with the overall benefits, in the context of both one-off and ongoing costs and benefits, and how ISOs might benefit you (or not) in the long term.
The downloadable CBA tool and accompanying guides (there’s one for ISO 9001, 14001 and 45001 then a separate one for ISO 27001) will quickly get you underway allowing you to work out a good indication of how much your chosen path is going to cost. Just click here for our CBA tool and guides.
When future history books are written, the pandemic of 2020 may well go down as the time when the way we live and work changed fundamentally.
The workplace of the future could look markedly different from the ones we were using in 2019, from flexible working spaces to plasma ventilation systems, body temperature sensors, desk screens, and the many other things which may become commonplace.
Undoubtedly many things will change because they will have to, in order to remain relevant and useful to our current plight. And ISO standards will be no different.
There are current elements of ISO standards which have already become more prominent and important to the organisations that use them. Hopefully this will also spur others to see the value they can bring in a Covid and (hopefully, and soon) post-Covid world.
Our first example will be ISO 9001, which is the standard that deals with the management of quality systems, and its focus on disaster recovery and business continuity.
With this standard you have to look at your risks and document them, along with the controls you’ll use to minimise any adverse affects this would have. Typical risks have traditionally been identified as extreme weather events affecting property, transport and power supplies (which can also have an impact on global supply chains); cyber-attacks and disruption to IT systems; changes to regulations and the political landscape; an loss of customer confidence due to negative publicity.
The idea is that you’ll manage disruption and limit the effects of these events to ensure business gets back to normal as quickly as possible.
Now, we’ve seen many a Business Continuity Plan that has also listed ‘pandemic’ as a scenario, but one that has probably never been envisaged as coming to pass. However, this is without doubt going to change, and how a business weathers a ‘virus event’ will become a hot topic for discussion across management teams up and down the country for years to come.
Another big area of significance will be attached to ISO 45001 - the standard addressing health & safety - and how assessing the risk of Covid in the workplace will become a primary concern.
In the UK, this falls under general management of health and safety in the workplace regulations, and all employers have to take reasonable steps to protect workers and others from the virus. A Covid-19 risk assessment is seen as a key part of this.
Guidance from the Health and Safety Executive, itself using guidance from Public Health England, drew up a series of issues an employers need to take into account when undertaking this assessment, such as identifying what work activity or situations might cause transmission of the virus; who could be at risk; how likely it was that someone could be exposed; and how they would act to remove the activity or situation, or if this wasn’t possible, control the risk.
In addition, some groups of people could be at more risk of being infected and/or an adverse outcome if infected, and this also need to be considered in the risk assessment.
So having a properly set up health & safety management system with a defined way of carrying out risk assessment using all of the available guidance definitely made life easier for organisations that had the ISO 45001 standard, and will continue to do so.
And finally, a nod to the importance of the ISO 27001 information security standard - organisations that had an information security management system in place found it so much easier to handle setting up staff working from home.
Organisations with the standard already had a suite of policies for working from home, along with risk assessments already completed, controls in place to combat unauthorised remote access, logging access to networks traced in the event of an incident, along with processes in place to close down any incidents as quickly as possible.
So as we change our ways of working, many elements of the most popular ISO standards are there to make it as easy as possible.
And the reason? Because they are all ‘risk-based’ standards. This means that they help you to focus your resources toward things that present a higher risk to you and your customers and clients. And these days, that means a lot.
Here you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security.
Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...