This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not!

The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).

In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.

Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:

• Low – As required i.e. you may audit once in the 3 years or more frequently if something pops up
• Medium – Audit Every Two Years
• High – Audit Every Year
• Critical – Audit Multiple Times Per year

In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):

• Level of non-conformances within / linked to that process.
• Customer complaints
• Any business risks / hazards
• Importance of the process on your product or customer
• Previous audit results (internal & external)
• Organisation changes e.g. key personnel changes.

A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality.

If you would like to look at how to implement an ISO management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

Regardless of the industry, companies face increasing competition with each passing day. Whether you’re a massive enterprise, or a small startup, monitoring and maintaining operational efficiency has never been more important. Consequently, internal audits have grown to become an essential component of a business’ success.

The dynamic pace of today’s business landscape also means that failure to effectively evaluate and manage risks has the potential to ruin any organisation.

If your clients or end users expect products or services that are secure and compliant, you will need to ensure that you’re making the most of internal audits. 

Simply put, an internal audit is an independent activity designed to objectively evaluate the effectiveness of an organisation’s internal controls, risk management and governance. It is typically pre-emptive in nature and aims to uncover any discrepancies between operational processes and their intended purpose.

Upon completion of the internal audit, a detailed report is provided to management, outlining the findings alongside any recommendations. By including activities that affect businesses from top to bottom, internal audits go beyond your organisation’s internal processes: they’re concerned about the overall wellbeing and success of your organisation.

So internal audits are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest.

Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

Another shameless plug here - The Ideas Distillery offers a comprehensive, objective auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process. 
​
If you would like to look at how to implement an ISO management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

​A core but often misunderstood clause of the main ISO standards is the area of ‘Leadership’. This is a term which means different things to different people, but what does it mean in terms of management systems?

Although there are a lot of different definitions of leadership, there is a common thread that runs through many of them: the notion that leadership involves influencing others to follow a particular direction or aim for a particular goal. 

This really the thread that runs through ISO - leadership is about tackling the important or core issues that face the organisation, which will usually fall into one of three categories:

1. Strategic issues: the ‘ends’ or results the organisation seeks. In what direction should we go in a changing environment, correctly identifying opportunities and avoiding threats?
2. Task issues: the ‘means’ of achieving the organisation's desired results. How can these tasks best be performed? Is there a tension between ends and means? 
3. The people or maintenance problem. Leadership is largely about the relationship between leaders and followers. Therefore a central task for leaders is to build and maintain a solid relationship with others. How can a leader maintain the morale, cohesion and commitment of individuals while pursuing the organisation’s aims? 

Therefore Top Management (as ISO standards label senior management within an organisation) must ensure that the requirements of the management system, including the policies and objectives, are consistent with the strategic context and direction of the organisation, and that the policies and objectives are established whilst ensuring that the human and financial resources needed for implementing the management system are available.

The standards insists that Top Management should take a ‘hands-on’ approach to the management system which will be audited during interviews and whilst recording compliance to other requirements e.g. determining organisational context, policies, objectives, management review minutes, provision of resources etc.

This process view of leadership is designed to look at how leadership tackles the ‘ends’ and ‘means’ core problems which requires some knowledge of the wider environment and an understanding of how it is likely to affect the organisation. 

To exercise leadership in these areas, Top Management must be prepared to keep in touch with and understand these wider events. Being a successful leader depends not just on what a person does within a group, as is suggested by ‘style’ theories of leadership, but also on what that person does outside the group. Effective networking and being a good ambassador are important leadership skills; they help the leader to understand the threats and opportunities that may face an organisation and to mobilise resources and support. 

It’s against this backdrop that management system auditors will want to determine the following issues amongst the organisation’s Top Management:

• How have policies and objectives been established?
• Do they align with the strategic direction and the organisational context?
• How are policies and objectives communicated within the organisation?
• Can you demonstrate how policies are understood and applied?
• How are the requirements of the Management System integrated into the business processes?
• How is awareness of the process approach promoted?
• How are resources determined?
• How do you communicate the importance of effective Management System management, and conforming to Management System requirements?
• How do you ensure that the Management System achieves its intended results?
• How do you engage, direct and support people who contribute to the effectiveness of the Management System?
• How is continual improvement promoted?
• How are other relevant management roles supported to demonstrate leadership in their areas of responsibility?

​
The principal is fairly simple: without solid management commitment, you will not have a successful management system. This is not a commitment in words, it is the continuous and active demonstration to everyone in the organisation that the need to meet customers’ expectations is vital.

The huge impact on businesses due to the COVID-19 pandemic has forced many businesses to come up with other revenue-raising ways.

This has sparked a ‘revolution in innovation’ as businesses either deliver their products or services differently or pivot to something completely new.

But businesses don’t have to wait for the next ‘big shock’ to find out whether they have the innovative nous to survive. Adopting a management system now can ensure that moving over to new business practices becomes a seamless process.

The link between business management systems is a strong bond. ISO systems are not just about continual improvement, they are also inherently linked to innovation. And in the current- and post-COVID economy, that’s something we’re going to need more than a small slice of.

Running a business along ISO management system lines means you’re looking for improvement by involving a whole range of stakeholders, from every employee to your clients, customers, suppliers and any other key person or group you’ve identified. You’re always after their views; you’re always gathering market information; you’re a very ‘switched on’ company. You marshal your resources in a way which makes you able to look for improvement and innovation at every level.

Let’s look at the figures: the failure of new products is well documented. For example, the retail and grocery sector sees an 85% failure of new products in the first year. The computer games industry sees around 50% of its sales generated by only 10% of releases.

The failure rate in the music industry is spectacular, with approximately 80-90% of new releases being duds. In the online magazine publishing industry, a massive 80% of new publications fail to last more than 12 issues, and book publishing is a notoriously difficult nut to crack where only a tiny proportion of new releases generate any kind of profit.

Genuine business improvements and new ideas as a result of them are actually very difficult to come across. Just look at confectionary manufacturers and the way they incessantly bring out bigger/smaller/special edition versions of 60-year-old snacks. This tired old formula has now become the template of product and service development in industries right across the board. There is, of course, one fundamental flaw with this process: the vast majority of things created by it fail.

But business improvement and innovation is so important because we are facing a number of key challenges. Globalisation, technological and knowledge revolutions, cultural debate and climate change are issues that face us all at some level. They mean that as well as wanting to improve and innovate in order to improve a process or product and add value, we also have to improve and innovate because there is an overwhelming imperative to do so.

The knowledge-driven economy brings new challenges for business. Markets are becoming more global with new competitors, product lifecycles are shortening, customers are more demanding and the complexity of technology is increasing.

So while the knowledge economy represents new opportunities, certain actions are needed to support and take advantage of these developments.

In the knowledge-driven economy, improvement and innovation have become central to achievement in the business world. With this growth in importance, organisations large and small have begun to re-evaluate their products, their services, even their corporate culture in the attempt to maintain their competitiveness in the global markets of today. The more forward-thinking organisations have recognised that only through such root and branch reform can they hope to survive in the face of increasing competition.

This is why the use of ISOs is so important. A successful business today understands the value of both improvement and innovation, and it knows that while these terms may have different meanings, they are equally critical for long-term business success. Organisations that embrace both methods of increasing business value are the ones that will not only survive, but thrive in today’s competitive marketplace.

Improvements are small, incremental changes that make a business’s goods or services better in some way, whether by reducing cost, increasing value, improving safety, or enhancing quality or satisfaction. They’re typically low-cost, low-risk ideas that can be implemented by the people doing the work all day, every day. Improvements start with examining a current process and asking the question: “How can I do this better?”

The trick is to couple this with innovation, which starts with the status quo and asks: “How can I do this in a whole new way, to achieve significantly better results?” Innovative ideas are ground-breaking, far-reaching, significant changes to business processes that serve the purpose of improving the organisation in wide swathes. But you have to have your business processes functioning properly in the first place.

Food for thought before the next economic shock rumbles inevitably towards us.

If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

​“Should I get ISO certification?” - this is a question only you can answer, and really only when you’ve answer the question “why do I need ISO certification”?

It might be that you need it because a client has said it won’t deal with you until you do; or you want to get onto a supply chain list; or your competitors have it so you need to get it to compete.

While there’s nothing at all wrong with any of these reasons, the trouble is they drive a ‘tick box’ industry when it comes to certification. Certification just becomes an end in itself, and simply a side project that achieves certification by ticking off a series of actions in preparation for an audit then ignored as soon as the auditor walks back out of the door and other priorities take over. 

Then its back to battling through self-inflicted mistakes and complaints for another 11 months before starting to look at fabricating evidence to show the auditor again in a month’s time. This is an all-too-familiar story.

The main reason you should want ISO certification is the reason they were developed in the first place - to improve your organisation.

The quality standard - ISO 9001 - is used by over one million companies across the world and is revered by large corporations and small firms alike. If it’s applied properly and diligently, then organisations reap the benefits over time.

The only problem with it is that it’s a seriously underused system, mainly because of all of the unnecessary bureaucracy, costs and generally poor implementation which have become associated with the certification of them. But this does not have to be the case. If done correctly it can be, simply put, the most effective way of improving your business. 

If you strip away all of the rigmarole surrounding certification, then it can be the level-best way to continually improve your business from your customer’s point of view.

So when trying to gauge if it’s worth it, then this is a really important thing to frame it against. 

Due to the nature of ISOs, it can be difficult to work out whether it’s cost-effective - many of the costs fall into the ‘it depends’ category (it depends on your company size, sector, risks, etc) and the benefits will depend on many things so can only be estimated.

“Is ISO worth it?” might be one of those million dollar questions, but in reality it’s more of a “work in, work out” answer. The benefits that are gained will vary greatly on the ISO standard that you implement and the amount of effort you put into improving the management system. 

Some of the benefits are not as obvious as they can be harder to quantify. For example, when implementing ISO 9001 we would be looking at your processes and identifying streamlining opportunities, often reducing time and paperwork. Unless you are doing time and motion studies then it will be hard to obtain the cost benefits from these improvements. But you can certainly estimate how much time and money you have saved and see the value from that perspective. 

The more focus you place on process improvements the more benefit you will gain - the ISO 9001 standard, as we’ve discussed, is all about continual improvement. 

The ISO 14001 standard on the other hand could be easier to justify from a money perspective as you will need to monitor your waste and utilities usages. It is very easy to save money from both with this environmental standard. It is not uncommon for businesses to save at least 10% year-on-year through improvements and just focusing on those areas such as energy reductions. 

It’s possibly harder to demonstrate cost benefits with the ISO 45001 standard but there are some businesses that will see the value of this more than others, especially when you analyse time off work through sickness or accidents. If you reduce these and improve the wellbeing of personnel then this will return monetary savings.

Likewise, ISO 27001 enables organisations to avoid the potentially devastating financial losses caused by data breaches. The global average cost of a data breach has skyrocketed to £3.13 million (a 6.4% increase from 2017), according to the Ponemon Institute.

The standard is also designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the EU General Data Protection Regulation (GDPR) and other associated laws. 

When you’re looking at costs there’s a lot to take into account, such as implementation costs, employee hours costs and Certification Body costs (IF you want to be certified - you don’t HAVE to be certified).

The Ideas Distillery’s spent a lot time putting together a rough-and-ready spreadsheet calculator - our Cost Benefit Analysis (CBA) tool - to address the main areas of installing an ISO management system, including becoming certified. 

The idea is, at the end of the process, you can see the overall costs and compare these with the overall benefits, in the context of both one-off and ongoing costs and benefits, and how ISOs might benefit you (or not) in the long term.

The downloadable CBA tool and accompanying guides (there’s one for ISO 9001, 14001 and 45001 then a separate one for ISO 27001) will quickly get you underway allowing you to work out a good indication of how much your chosen path is going to cost. Just click here for our CBA tool and guides.

If you would like to look at how to implement an ISO management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).