Intertek's Assurance in Action Podcast Network

Is your Management Systems scope fit for purpose?

Curtis Thornton, Cheryl Savage Season 7 Episode 3

Defining the scope of your management system is a key step when developing any management system, but it can be a challenge for some. 

As a Certifying Body for ISO Management Systems, our experts are here to help clients ensure their scope is in line with Accreditation Body requirements and fit for purpose. 

If you are at the start of your journey to Management Systems Certification, listen to our podcast for some best-practice tips on what a winning scope looks like.

Job title of speakers:

  • Curtis Thornton: Intertek Business Assurance Business Development Manager
  • Cheryl Savage: MD of Management & Risk Solutions

Follow us on- Intertek's Assurance In Action || Twitter || LinkedIn.

0.11 Curtis 

Hello, and welcome to the first in our series of management systems podcasts. This session is dedicated specifically to the scoping activity. I'm Curtis Thornton, Business Development Manager for Business Assurance here at Intertek UK and I'm joined by Cheryl Savage, the Managing Director of Management and Risk Solutions. Cheryl, would you like to introduce yourself?

0.40 Cheryl: Thanks, Curtis. My name is Cheryl Savage and I’m Managing Director of Management Risk Solutions, established in 2018, and we offer consultancy, auditing and training for any organisation looking to either develop or enhance a management system. We support Intertek closely - we deliver majority of Intertek training courses and work closely with clients to offer solutions to enhance their management systems and take them forward towards certification.  I'm delighted to be here on this podcast. 

1.19 Curtis  

So today we're going to go through a few topics relevant to management system scopes that will hopefully give you a clear idea of exactly what is needed and to also give you some tips on how to write your scope statement. So, we're going to go through a few different sections here, but as the topic of the title of this podcast is “Is your scope fit for purpose”, I just want to give a brief explanation as to why we've chosen this topic.

Essentially, we've chosen this topic because we have thousands of clients in the UK who of course have a scope statement. It's up to Intertek to make sure that these scopes are both conforming with UKAS requirements, but also fit for purpose. And what I mean by that is fit for purpose in terms of adding the most value to your organisation, but also adding the most value to people who are reading them as well.

All too often we come across scope statements that are too vague, too descriptive, or are too focused on selling the business rather than showcasing the specialties of the company being certified. So, I'd just like to pass this over now to Cheryl just to explain a little bit more detail - What is the scope?

2.38 Cheryl

Thanks, Curtis. I think it's really important to understand there are three types of scope related to management systems that can be the same but can be very different. 

Audit scope: So, the first one we'll talk about - what is an audit scope? So, an audit scope is something that we are going to audit and that means where are the boundaries? What might be included? What might be excluded from that audit? And we can't plan our audit unless you know where the boundaries are. So, it could be a location, it could be a department, it could be a process within the size of department. So that's an audit scope.

Management System scope: We also have in all the ISO standards - Clause 4.3 asks us to define the scope of our management system. Now the scope of our management system and the scope of certification can be the same but can also be very different. So, when we're defining the scope of the management system, again, we have to take into consideration what it is that the business does. But it also asked us in all ISO standards to take into consideration the internal/external issues that affect the business in clause 4.1, and these expectations of interested parties that affect or can be affected by the business clause in 4.2.

Certification scope: So now the scope can be quite much wider than the activities of an organisation because it has to incorporate those things. Whereas the scope of certification is what you've come into agreement with the certification body of what's actually going to be covered in that certification scope. So you might limit that scope to certain activities or certain locations of your organisation, whereas your management system might be much wider scope. So, for example, you might have a management system for a global organisation. But you might have a certification scope which is just one location or certain activities inside that location. 

So I hope they like clarify is again a bit of a misunderstanding on what we mean by scope. Scope always means what's included what's excluded, what's the boundary, but we do have those three different types of scopes, so audit scope, management system scope, certification scope.

4.50 Curtis: 

I think we're going to touch on this later, but just to ask you now, why would an organisation have a separate scope for their management system internally and scope for their certification?

5.06 Cheryl 

For a consultant it's a really hard question to answer because I wouldn't want them to have a separate one. However, you may choose to only go for certification for a narrow part of the business. Whereas you wouldn't want within your business only to have a management system that incorporates different parts of the business. You can't exclude HR or manufacturing from say your health and safety management system because they are the people that work for your organisation so you’ve got to include everything, but you might choose to work with Intertek, for example, and say we want to go for certification to ISO 45001, but we only want it for the manufacturing parts of our business.

Of course, when Intertek then go in, the auditor will be looking within that defined scope of certification, but also how that part of the organisation is identified, the internal/external issues and the interested parties because they are very relevant to the system but might be excluded from the certification.

6.05 Curtis 

Thank you. That makes a lot of sense. I just wanted to touch on briefly before we go into a bit more detail on specifically how to write your scope, why this matters to get it right. I mean, obviously as a consultant yourself, I'm sure you go into a lot of organisations, and you see that it just isn't correct. And this can make a massive difference to their certification. So, I was just wondering if you could give us a bit more of an insight on why this matters.


 6.34 Cheryl 

I think it matters because you can't be misleading with this type of certification. It also matters from a commercial perspective because a lot of organizations, when you're bidding and tendering for new work, they ask you to send a copy of your 9001, your 14001, your 45001 certificates. And the wording on that really needs to represent what is included in this certification scope. So, it can't be misleading.

And again, as we go through this podcast, I'm going to give you a little acronym that we're going to use to try and make sure that we cover everything, but also that we put the limitations in there of what that certification scope and covers, so it can't be misleading.

You've also got to make bear in mind as well working with the certification bodies, they've got to make sure that they are accredited by UKAS as Curt mentioned earlier or what other accreditation body depending on where you are in the world, and that they are accredited to include that scope and can offer that certification within that scope that you're covering.

So, for example, if you work in construction and you're working with a Certification Body that doesn’t have that in their scope of accreditation, you can't offer that certification. So there are accreditation scopes as well as certification scopes.

7.47 Curtis

Thanks for clearing that up Cheryl, that's really useful. So, from a Certification Body’s perspective and certainly from my perspective dealing with clients day-to-day, I would say that what I've seen from clients in terms of how to write a scope statement, what I've seen from client so far, I've developed a short list of top tips essentially.

So, what I feel would be useful to know when developing your scope statement:

1)      Keep it short and simple. It sounds simple and it sounds quite easy. However, I have seen a lot of scope statements through my time, which are very long winded and go on quite a bit and essentially you need to kind of understand that you want the scope statement which brings me on to my second point.

2)      You want the scope statement to overview what you do as an organisation, but you don't want it to be too ‘wordy’ so it becomes confusing, or it becomes a little bit tedious to read throughout the whole thing 

3)      You don't want it to be overly ‘salesy’.  What do I mean by that? Well, of course the scope statement naturally will have an element of portraying what you do to your customers and your clients. So, it does actually need to enhance your business to a degree. Showcasing the processes and procedures that it covers. However, you don't want it to be so ‘salesy’ whereby it could almost be at odds with your accreditation with UKAS.

There are strict rules and regulations in place by UKAS to make sure that you're not overselling it and that you're following the rules and procedures which will go through now.

And Cheryl, you did mention that there's an acronym that you've hope will find, which I'm sure our listeners will find very useful. Do you mind just going into that as well?

9.56 Cheryl

So, the abbreviation and I use is M.E.L.

M = what are the main activities that this organisation does?

E = any extra activities that I want to actually incorporate in the scope of my certification, and particularly on that certificate 

L = are there actually any limitations that I should be having on that certificate to make it clear

So, a few examples:  An ISO 9001 scope might be as simple as ‘design and manufacture of parts associated with the automotive industry’. So, the Main activities are design and manufacture of the parts but the Limitations or the example would be for the automotive industry. So that's the Extra - they’re saying it’s specifically for the automotive industry.

Another one said: My scope of certification for my business might be something like ‘design and delivery of training courses’ - that's the main activity, but it might extend it to say ‘specifically for the construction industry’. Mine isn't, by the way, so that's a bit misleading, but it might be an organisation that just designs & delivers training courses for a specific industry. You might want to have that on your scoping statement because that gives you limitations.

When we're talking about ISO 45001, then that scoping statement really should say words like ‘the health and safety issues associated with’ whatever that organisation does, and the same for environmental, so ‘environmental issues associated with the design and manufacture of’ - so that it's very clear what that scope of certification covers.

Yes, it will say the number, so for quality, it'll say 9001, for environmental it’ll say 14001 and for occupational health and safety 45001.  But for me, as an auditor, a consultant, I would encourage organisations to actually put it on their certificate.  ‘The health and safety activities associated with..’  or ‘the environmental activities’ or ‘the environmental impacts associated with..’ and then from a quality perspective, that's when it's really saying these are our activities.   

So again, just to reiterate, MEL is just a very simple acronym. What are the main activities, or there any extra activities that you also want to have on that certificate?  And are there any limitations? So, some organisations might manufacture a part that meets a British standard for example. Do you want to have that on your scope and statement? But maybe you don't, because maybe that limits when you're submitting your certificate to a potential client. Just think about, you know, what do you want that certificate to say about your organisation, but maybe think also about the additional or the extra activities that you want on there and are there any limitations.

Hopefully that's helpful.

12.57 Curtis 

Yes, thank you, Cheryl, certainly helpful for me and I'm sure very helpful for listeners as well. I just wanted to briefly extend on that actually just with ISO 27001 as well - information security, because I know that there will probably be a few listeners here that are interested in the scope statements specifically for this standard. The advice would be very similar in the sense that it would still follow the structure or the acronym MEL, so the main activities, the extra activities and then any limitations of that of that scope, and it would also follow the advice that you talked about Cheryl in terms of referring to environment and health and safety. But in this regard, instead of it referring to health and safety and environment, we would actually say the information security management system of, and then go into your activities, because this way it's then showcasing that this is relevant to ISO 27001 and your information security management system. So it's making it specific.

And then the second thing with 27001 scope statements is that you need to also have a reference to what we call an SOA, which is a statement of applicability. Now the statement of applicability is a separate topic, and it is something that we can touch on later in this series of management systems. However, as I said just briefly for now, typically the statement of the applicability reference in your scope statement is made towards the end of the scope statement. So you could have something, for example -‘the information security management system of X Company in association with statement of applicability version 1.0’ as an example. And then what that basically tells your clients is that you have a statement of applicability that you have created within your information security management system, which is then being verified by a third-party Auditor such as Intertek and essentially it has been verified.

So now I think we can just go move on a little bit. Now we've got a bit more of an understanding about the structure of scope statements. Just to understand some common mistakes that we see or certainly the I see from a certification’s perspective, but Cheryl also that you see from a consultant side as well. So you mentioned that you had a couple of things you wanted to talk about, Cheryl, in terms of examples of misleading scope statements.

15.37 Cheryl

So you can't have a misleading scoping statement, so you can't be a multinational organisation, but the scoping statement doesn't outline which locations are covered, because you might only have head office for example covered in the certification, and actually your scope needs to say that it's head office activities only, if you're a manufacturing company and you've got 20 different sites across the UK. Is it the head office in those twenty sites and is it all the activities associated with all those 20 sites? It needs to be very clear; it can't be misleading. What you will have if it is a multi-site certification, you will have a schedule of what sites it covers. But again, and you can't be misleading on your scoping statement certificate. So, if it's the design and manufacture of something, but you don't do the design, then you can't have that on your certificate. So, it can't be misleading, OK.

16.38 Curtis 

Great. Thank you. I just think I'll add to that as well as that in the past I have seen a few certificates which they wanted the certification to cover the management of the processes associated with let's say the production of something for example. Now, if you truly just wanted the management team to be certified as part of your organisation, then that is completely fine. However, certification bodies we have seen in the past that companies wanted the management of the management team to actually be certified, but then they claimed that the whole organisation was to be certified. Now we can't do that. If you do want the whole organisation certified, then of course we would need to audit and include within the scope the whole organisation, so we wouldn't have that wording specifically.

On the flip side, if you did actually just want the management team certifying under ISO, then we would obviously make that clear and that would be clear on that scope statement and within the certificate itself. 

Which does bring me on to my second point, which is what is the scope and what is it that you actually want to gain out of your scope statement. So what is the purpose of the scope statement?

So a common mistake that I see is that organisations tend to look and create their scope statement from looking at it from the lens of their own company rather than from the perspective of a client or a customer. So, things such as including too technical terms or processes which perhaps only your colleagues internally will know. And again, this depends on what the purpose of your certification is for.

If you specifically wanted to reference products and you specifically wanted to reference procedures, which you know which is specifically for a tender or it's for the clients that you're already working with, then that's fine.  But we found on a few occasions or certainly I found working with Intertek is that it has been too specific on products, and it's been too specific on procedures, whereby it can then limit yourself and it can actually limit the type of people that you're trying to attract and what you're trying to achieve from your management system.

And the third common mistake and I've already touched on this so I don't need to go into too much detail, but being too ‘wordy’ and it isn't the case that you need to.  And actually, Cheryl did include this herself earlier on.  You don't need to include every single department within your scope statement, you just need to be able to pick out the key processes or the key areas within your business that you feel is going to have the greatest impact.  Impact being a keyword. So what's going to have the greatest impact on your organisation and how are you going to yield the biggest benefit from having a scope statement?

Think about your target audience, basically is what I'm trying to say out there. And on the flip side, you don't want to miss out key processes. Of course, if you're bidding for a tender, and as part of the tender, they are looking for ISO 9001 certification for your production, then of course you want to ensure that production is mentioned in your scope statement. Otherwise, there's going be a disconnect in terms of what they're looking for and what you've put on your scope.

And finally, from my perspective, just being too specific as well. It's good to have various processes within your business. However, there really isn't any need to be very specific with the scope statement. If you add individual products onto the scope, what happens then when you grow? If you're adding each individual product onto your scope statement - it's going to be a very high amount of admin, both from the certification body and for yourselves. But you also need to remember what's the overarching message that we're trying to achieve here.

And then finally, I've got lacks structure and Cheryl mentioned this briefly earlier as well. So we've talked about having that acronym MEL. So having that structure in place, we have also seen scope statements from other certification bodies which would just be as simple as testing services or IT infrastructure or capabilities testing. Of course it does, to a degree give a customer or gives someone who's looking at your certificate an idea of what you're doing, but it's not really structured enough to have a clear understanding of what it is exactly that you do and what it is exactly what it is that it's exactly covered under the scope of certification. So just make sure to have some structure in there as well.

Conclusion

So thank you so much for taking the time to listen to this podcast. I've really enjoyed talking about the scope statements here. The key takeaway is that you want the scope statement to be an accurate and fair representation of the key processes and activities within your organisation. You don't want it to be too wordy and you want to make sure it has an emphasis on the management systems. However, equally you don't want it to be too short, as the scope statement can be used as a tool to support selling and representing what is certified throughout the business. If your customers can see a process or activity, which is covered within your scope, they can be confident that your product or service is of the highest quality. And of course, depending on the standard, said processes can also be environmentally friendly, adhere to health and safety requirements, or be covered under your robust information security policies.

We've hope you found this podcast of value and also a big thank you to Cheryl for your time and expertise today.

To learn more about our management systems certification services visit www.intertek.com/business-assurance

Thank you.

End: 23.16