Annex SL - you might hear this very sexily-titled moniker from some nerdy-sounding ISO practitioners and think that it contains some table listing requirements or some such. But actually it’s something very useful to anyone who’s decided to do two or more of the most widely-used ISOs (namely ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety) and ISO 27001 (information security) standards). This is because Annex SL is, in effect, an ISO directive which prescribes how ISO management system standards should be written. The aim is to enhance the consistency and alignment of standards by providing a unifying high level structure with identical core text and common terms and definitions. In the previous section you’ll have seen that there are a lot of common requirements between all four of the standards we covered, and this is because all of them use the Annex SL High Level Structure. In practice this means that all four of the standards we are looking at will all have the same common elements below, and the specific requirements of each standard will be found within these sections:
The big advantage is that if you are undertaking, for example, ISO 9001 and ISO 14001, and you wanted to address the clause ‘Context of the Organisation’ by doing a SWOT & PESTLE analysis, then you would only have to do this once. If you wanted to add ISO 45001, again you would do this just the once, but make sure you added in a health & safety dimension to the analysis. Likewise with all the other headings - the different standards may have different specific requirements under each heading, and there may be different emphases in certain areas, but they’ll all fall broadly under each of these headings. Which does make life easier! This means you can also look at each heading in turn and see how it might relate to you, taking advantage of being able to integrate the many common elements between the ISOs. If you would like to look at how to implement an ISO management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
0 Comments
This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made. An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience. For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:
You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained. The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not! The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to). In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it. Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:
In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):
A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality. If you would like to look at how to implement an ISO management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Regardless of the industry, companies face increasing competition with each passing day. Whether you’re a massive enterprise, or a small startup, monitoring and maintaining operational efficiency has never been more important. Consequently, internal audits have grown to become an essential component of a business’ success. The dynamic pace of today’s business landscape also means that failure to effectively evaluate and manage risks has the potential to ruin any organisation. If your clients or end users expect products or services that are secure and compliant, you will need to ensure that you’re making the most of internal audits. Simply put, an internal audit is an independent activity designed to objectively evaluate the effectiveness of an organisation’s internal controls, risk management and governance. It is typically pre-emptive in nature and aims to uncover any discrepancies between operational processes and their intended purpose. Upon completion of the internal audit, a detailed report is provided to management, outlining the findings alongside any recommendations. By including activities that affect businesses from top to bottom, internal audits go beyond your organisation’s internal processes: they’re concerned about the overall wellbeing and success of your organisation. So internal audits are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made. An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience. For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:
You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained. Another shameless plug here - The Ideas Distillery offers a comprehensive, objective auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process. If you would like to look at how to implement an ISO management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). A core but often misunderstood clause of the main ISO standards is the area of ‘Leadership’. This is a term which means different things to different people, but what does it mean in terms of management systems? Although there are a lot of different definitions of leadership, there is a common thread that runs through many of them: the notion that leadership involves influencing others to follow a particular direction or aim for a particular goal. This really the thread that runs through ISO - leadership is about tackling the important or core issues that face the organisation, which will usually fall into one of three categories:
Therefore Top Management (as ISO standards label senior management within an organisation) must ensure that the requirements of the management system, including the policies and objectives, are consistent with the strategic context and direction of the organisation, and that the policies and objectives are established whilst ensuring that the human and financial resources needed for implementing the management system are available. The standards insists that Top Management should take a ‘hands-on’ approach to the management system which will be audited during interviews and whilst recording compliance to other requirements e.g. determining organisational context, policies, objectives, management review minutes, provision of resources etc. This process view of leadership is designed to look at how leadership tackles the ‘ends’ and ‘means’ core problems which requires some knowledge of the wider environment and an understanding of how it is likely to affect the organisation. To exercise leadership in these areas, Top Management must be prepared to keep in touch with and understand these wider events. Being a successful leader depends not just on what a person does within a group, as is suggested by ‘style’ theories of leadership, but also on what that person does outside the group. Effective networking and being a good ambassador are important leadership skills; they help the leader to understand the threats and opportunities that may face an organisation and to mobilise resources and support. It’s against this backdrop that management system auditors will want to determine the following issues amongst the organisation’s Top Management:
The principal is fairly simple: without solid management commitment, you will not have a successful management system. This is not a commitment in words, it is the continuous and active demonstration to everyone in the organisation that the need to meet customers’ expectations is vital. The huge impact on businesses due to the COVID-19 pandemic has forced many businesses to come up with other revenue-raising ways. This has sparked a ‘revolution in innovation’ as businesses either deliver their products or services differently or pivot to something completely new. But businesses don’t have to wait for the next ‘big shock’ to find out whether they have the innovative nous to survive. Adopting a management system now can ensure that moving over to new business practices becomes a seamless process. The link between business management systems is a strong bond. ISO systems are not just about continual improvement, they are also inherently linked to innovation. And in the current- and post-COVID economy, that’s something we’re going to need more than a small slice of. Running a business along ISO management system lines means you’re looking for improvement by involving a whole range of stakeholders, from every employee to your clients, customers, suppliers and any other key person or group you’ve identified. You’re always after their views; you’re always gathering market information; you’re a very ‘switched on’ company. You marshal your resources in a way which makes you able to look for improvement and innovation at every level. Let’s look at the figures: the failure of new products is well documented. For example, the retail and grocery sector sees an 85% failure of new products in the first year. The computer games industry sees around 50% of its sales generated by only 10% of releases. The failure rate in the music industry is spectacular, with approximately 80-90% of new releases being duds. In the online magazine publishing industry, a massive 80% of new publications fail to last more than 12 issues, and book publishing is a notoriously difficult nut to crack where only a tiny proportion of new releases generate any kind of profit. Genuine business improvements and new ideas as a result of them are actually very difficult to come across. Just look at confectionary manufacturers and the way they incessantly bring out bigger/smaller/special edition versions of 60-year-old snacks. This tired old formula has now become the template of product and service development in industries right across the board. There is, of course, one fundamental flaw with this process: the vast majority of things created by it fail. But business improvement and innovation is so important because we are facing a number of key challenges. Globalisation, technological and knowledge revolutions, cultural debate and climate change are issues that face us all at some level. They mean that as well as wanting to improve and innovate in order to improve a process or product and add value, we also have to improve and innovate because there is an overwhelming imperative to do so. The knowledge-driven economy brings new challenges for business. Markets are becoming more global with new competitors, product lifecycles are shortening, customers are more demanding and the complexity of technology is increasing. So while the knowledge economy represents new opportunities, certain actions are needed to support and take advantage of these developments. In the knowledge-driven economy, improvement and innovation have become central to achievement in the business world. With this growth in importance, organisations large and small have begun to re-evaluate their products, their services, even their corporate culture in the attempt to maintain their competitiveness in the global markets of today. The more forward-thinking organisations have recognised that only through such root and branch reform can they hope to survive in the face of increasing competition. This is why the use of ISOs is so important. A successful business today understands the value of both improvement and innovation, and it knows that while these terms may have different meanings, they are equally critical for long-term business success. Organisations that embrace both methods of increasing business value are the ones that will not only survive, but thrive in today’s competitive marketplace. Improvements are small, incremental changes that make a business’s goods or services better in some way, whether by reducing cost, increasing value, improving safety, or enhancing quality or satisfaction. They’re typically low-cost, low-risk ideas that can be implemented by the people doing the work all day, every day. Improvements start with examining a current process and asking the question: “How can I do this better?” The trick is to couple this with innovation, which starts with the status quo and asks: “How can I do this in a whole new way, to achieve significantly better results?” Innovative ideas are ground-breaking, far-reaching, significant changes to business processes that serve the purpose of improving the organisation in wide swathes. But you have to have your business processes functioning properly in the first place. Food for thought before the next economic shock rumbles inevitably towards us. If you would like to look at how to implement an ISO 9001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). |
WelcomeHere you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security. Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...
Categories
All
Archives
April 2024
|