“Should I get ISO certification?” - this is a question only you can answer, and really only when you’ve answer the question “why do I need ISO certification”?
It might be that you need it because a client has said it won’t deal with you until you do; or you want to get onto a supply chain list; or your competitors have it so you need to get it to compete.
While there’s nothing at all wrong with any of these reasons, the trouble is they drive a ‘tick box’ industry when it comes to certification. Certification just becomes an end in itself, and simply a side project that achieves certification by ticking off a series of actions in preparation for an audit then ignored as soon as the auditor walks back out of the door and other priorities take over.
Then its back to battling through self-inflicted mistakes and complaints for another 11 months before starting to look at fabricating evidence to show the auditor again in a month’s time. This is an all-too-familiar story.
The main reason you should want ISO certification is the reason they were developed in the first place - to improve your organisation.
The quality standard - ISO 9001 - is used by over one million companies across the world and is revered by large corporations and small firms alike. If it’s applied properly and diligently, then organisations reap the benefits over time.
The only problem with it is that it’s a seriously underused system, mainly because of all of the unnecessary bureaucracy, costs and generally poor implementation which have become associated with the certification of them. But this does not have to be the case. If done correctly it can be, simply put, the most effective way of improving your business.
If you strip away all of the rigmarole surrounding certification, then it can be the level-best way to continually improve your business from your customer’s point of view.
So when trying to gauge if it’s worth it, then this is a really important thing to frame it against.
Due to the nature of ISOs, it can be difficult to work out whether it’s cost-effective - many of the costs fall into the ‘it depends’ category (it depends on your company size, sector, risks, etc) and the benefits will depend on many things so can only be estimated.
“Is ISO worth it?” might be one of those million dollar questions, but in reality it’s more of a “work in, work out” answer. The benefits that are gained will vary greatly on the ISO standard that you implement and the amount of effort you put into improving the management system.
Some of the benefits are not as obvious as they can be harder to quantify. For example, when implementing ISO 9001 we would be looking at your processes and identifying streamlining opportunities, often reducing time and paperwork. Unless you are doing time and motion studies then it will be hard to obtain the cost benefits from these improvements. But you can certainly estimate how much time and money you have saved and see the value from that perspective.
The more focus you place on process improvements the more benefit you will gain - the ISO 9001 standard, as we’ve discussed, is all about continual improvement.
The ISO 14001 standard on the other hand could be easier to justify from a money perspective as you will need to monitor your waste and utilities usages. It is very easy to save money from both with this environmental standard. It is not uncommon for businesses to save at least 10% year-on-year through improvements and just focusing on those areas such as energy reductions.
It’s possibly harder to demonstrate cost benefits with the ISO 45001 standard but there are some businesses that will see the value of this more than others, especially when you analyse time off work through sickness or accidents. If you reduce these and improve the wellbeing of personnel then this will return monetary savings.
Likewise, ISO 27001 enables organisations to avoid the potentially devastating financial losses caused by data breaches. The global average cost of a data breach has skyrocketed to £3.13 million (a 6.4% increase from 2017), according to the Ponemon Institute.
The standard is also designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the EU General Data Protection Regulation (GDPR) and other associated laws.
When you’re looking at costs there’s a lot to take into account, such as implementation costs, employee hours costs and Certification Body costs (IF you want to be certified - you don’t HAVE to be certified).
The Ideas Distillery’s spent a lot time putting together a rough-and-ready spreadsheet calculator - our Cost Benefit Analysis (CBA) tool - to address the main areas of installing an ISO management system, including becoming certified.
The idea is, at the end of the process, you can see the overall costs and compare these with the overall benefits, in the context of both one-off and ongoing costs and benefits, and how ISOs might benefit you (or not) in the long term.
The downloadable CBA tool and accompanying guides (there’s one for ISO 9001, 14001 and 45001 then a separate one for ISO 27001) will quickly get you underway allowing you to work out a good indication of how much your chosen path is going to cost. Just click here for our CBA tool and guides.
As isolation is eased and people return to work, governments across the UK are requiring organisations to complete risk assessments as part of the permission to resume normal service.
Health and safety law requires employers, who continue to operate under current circumstances, to do ‘what is reasonably practicable’ to protect their staff and members of the public.
As an employer, you’re required by law to protect your employees, and others, from harm. Under the Management of Health and Safety at Work Regulations 1999, the minimum you must do is:
To fulfil this duty in addressing the risk from COVID-19 all companies must review their risk assessments and put in place measures to ensure the guidance available from their respective governments (in England, Northern Ireland, Scotland and Wales) is implemented.
Risk assessment covering exposure to Covid-19 will be different from one organisation to another. Healthcare workers, retail cashiers, home delivery drivers, utility engineers and construction workers have different exposure to this risk.
A risk assessment should recognise the virus as a hazard. It should also reflect that the virus is spread in minute water droplets that are expelled from the body through sneezing, coughing, talking and breathing.
The virus can be transferred to the hands and from there to surfaces. It can survive on surfaces for a period after transfer (depending on such things as the surface type, its moisture content and temperature). The risk assessment should conclude that if it is passed from one person to another, while many survive infection, some may die from the disease. It should be regarded as a high hazard.
The safety hierarchy of control can serve you well in considering what can be done. Any mitigation controls devised and implemented must reduce exposure of employees and anyone else who could be infected by your employees.
Control considerations must include identification of those who may have the disease, preventative measures and what to do if you find if an employee has contracted the disease. In other words, there may be elements of management systems design to think about. Decisions about what may be done must be realistic and reasonably practicable: achievable given the resources available.
Elimination is the best form of control. Can we eliminate the virus? Only through vaccination, so there is little that can be done by organisations. They are reliant on government response. Organisations should monitor vaccine availability and the priority of their workforce in any future vaccination programme so that arrangements can be made promptly. Social distancing and staying at home are not forms of elimination, but an administrative control.
Next in descending order is substitution: replacing the virus for something less harmful is not possible. Engineering controls place a physical barrier between the person and the hazard, or provide mechanical reduction of the hazard. Placing screens between people (e.g. cashier points in shops) will interrupt the flow of air from one person to another and therefore provide protection.
Providing ventilation is also an option. Recent research has shown that downward ventilation onto a patient’s bed considerably reduces the exposure of healthcare workers to infected droplets suspended in the air. Care must be taken if ventilation is to be considered. The fundamental question is where the potentially infected water droplets are ventilated to. It’s no good if they are blown onto other people or surfaces and increase exposure elsewhere. But as a principle it is worthy of some consideration e.g. ask whether the job must be done in a workshop, or can be done outside.
But then also consider exposure to ultraviolet radiation and other risk. Ventilation is a good control if it takes infected air away from people and transfers it to somewhere where the virus will not do harm.
Administrative controls provide the best options for most organisations. The risk assessment must consider how you will keep the workplace and equipment clean, adjust your working practices and ensure people are safe.
As an ISO consultancy obviously there is a big focus on taking a risk-based approach and the assessment of risk, evaluating effectiveness of control measures, complying with regulations, legislation, etc.
As businesses start to mobilise they’ll have the twin issue of new, immediate significant risks which will have arisen due to the pandemic alongside dealing with budget constraints and limited compliance resources.
We’ve been helping businesses in these scenarios, assessing their risk and conducting a review with the aim of identifying core compliance requirements. Much of this has been driven by their own clients requiring supply chains to undertake a proper Risk Assessment of current working arrangements.
Significantly, the crisis may have caused companies to find new suppliers that have not been fully vetted due to time pressures. Likewise, the pandemic may have caused substantial risks to employee safety associated with reopening businesses, such as effective social distancing. This emerging risk will likely call for the development of new policies and procedures that will require close oversight by senior management.
Our review will usually entail a historic review of internal procedures and controls to identify past activities or other problems to determine where the biggest risks reside. At this point we undertake a detailed COVID-19 Risk Assessment. External industry risks such as enforcement actions are considered as well.
But for those businesses who simply want to undertake their own detailed assessment, we are giving away the template we use for free. You can simply download it here.
There is no catch, we won’t ask you to sign up for anything, simply download, conduct the Risk Assessment and get back to work!
Millions of people around the world have lost their jobs amid the current Covid-19 crisis - it is a crisis within a crisis. The long-term economic impact is yet unknown but will surely be deep.
What is not in doubt is that the economic strain on companies of all sizes across the UK and the rest of the world will be here for the foreseeable future. Manufacturers have closed plants, stores are shut, and consumer demand has collapsed in many sectors.
Research by the Institute for Social and Economic Research at the University of Essex has found that more than 6.5 million jobs could be lost due to the economic fallout from the UK’s coronavirus lockdown, about a quarter of the UK’s total jobs.
A simply staggering number of companies have plunged into administration, from stalwart high street brands to major travel agents, as well as a whole raft of businesses in sectors such as construction. The true toll is only just beginning to be understood.
So it’s no surprise that companies which are still managing to keep their heads above water will be starting to look at deep cost-cutting measures in the short- and medium-term. With profit centres being hit like never before, cost centres such as ISO compliance will undoubtedly have fewer resources until the economy turns around.
What does this mean for the ISO compliance functions of companies that are struggling?
In practical terms, they will have to make risk-based decisions about how to allocate the limited resources that they have. And one important thing to think about is how you can use the expertise of companies such as The Ideas Distillery to outsource your compliance tasks cost-effectively with little overhead.
Certification Bodies have recognised, for the moment at least, that the world has changed significantly. Just about all have turned to ‘remote auditing’ as a way to still service clients while still respecting the lockdown. There has also been the option of postponing for up to six months in many circumstances, although this option is now starting to wind down.
Any company’s priority will simply be to put themselves in a position to survive the crisis. So when dealing with budget constraints and limited compliance resources, flexibility and creativity will be key.
For our part, when we are helping businesses in these scenarios, we always assess risk and conduct a review with the aim of identifying core ISO compliance requirements. This often entails a historic review of internal procedures and controls to identify past activities or other problems to determine where the biggest risks reside.
External industry risks such as enforcement actions brought against competitors should be considered as well, along with identifying low-risk areas where there have been few incidents or problems.
But more significantly, we help companies to determine if new, immediate significant risks have arisen due to the pandemic. Another emerging risk may exist in a company’s sales department, for example, perhaps due to the pressures of bringing in new business. This may be an area that leads to an increase in customer complaints as things are missed.
The crisis may have caused companies to find new suppliers that have not been fully vetted due to time pressures. Likewise, the pandemic may have caused substantial risks to employee safety associated with reopening businesses. This emerging risk will likely call for the development of new policies and procedures that will require close oversight by senior management.
For more information - and to see how we can help - just get in touch with us in any number of ways using on our Contact page.
ISO 45001 is an Occupational Health and Safety Management System (OHSMS) which provides a system for measuring and improving an organisation’s health and safety impact.
ISO 45001 focuses on managing your organisation's internal environment to ensure a safe and healthy workplace. ISO 45001 certification was developed to mitigate any factors that can cause employees and businesses irreparable harm.
Its requirements are the result of great effort by a committee of health and safety management experts who looked closely at a number of other approaches to system management - including ISO 9001 and ISO 14001.
In addition, ISO 45001 was designed to take other existing occupational health and safety standards, such as OHSAS 18001, into account - as well as the ILO’s labor standards, conventions and safety guidelines.
The major benefits to companies who hold ISO 45001 certification are:
The true value of ISO 45001 comes from linking the business strategy and the health and safety management system - not developing a standalone set of documents.
Using ISO 45001 to help manage risks and contractors, core and support processes, equipment and people gives you the opportunity not only to control but to assess and improve the health and safety of workers and others.
Certification to ISO 45001 gives you the opportunity to identify improvements and further reduce the risk of injury, illness and death.
The sort of things that you'll need to consider - which we can help you with - would be:
Here you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security.
Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...