Intertek's Assurance in Action Podcast Network

ISO Management Systems – the Good, Bad and Ugly

Intertek Business Assurance, Risk Solutions Ltd Season 7 Episode 12

ISO Management Systems can add value to an organisation but only if they meet the needs of the business. 

In this podcast we discuss ‘good’, ‘bad’ and ‘ugly’ of management systems users are experiencing and how to make improvements.

 

Speakers

  • Curtis Thornton, BDM Business Assurance at Intertek 
  • Cheryl Savage, MD of Management Risk Solutions Ltd 

Follow us on- Intertek's Assurance In Action || Twitter || LinkedIn.

Curtis Thornton  Intertek   0:09 
Hello and welcome to the second in our series of management system podcasts. 
Today our topic is management systems, The good, bad and ugly. 
I'm Curtis Thornton, Business Development Manager for Intertek Business Assurance and I'm delighted to welcome our guest speaker, Cheryl Savage, MD of Management Risk Solutions Limited, who brings with her a wealth of experience as a Trainer, Consultant and IRCA Certified Lead Auditor. 

 
So Cheryl, I'm actually interested to hear about the feedback you're getting from some of your clients, which has led to our topic today. Management systems -  
the good, bad and ugly. 

 
Cheryl (Guest)   0:56 
So for context, I organised and client forum for some of my key clients and each of them had individual issues with their management systems. So I thought to instigate some discussion I'd come up with some topics and some headings and I ended up with the good, the bad and the ugly.  And a theme throughout, something that I really wanted to push forward was a management system can only add value to the organization if it meets the needs of their business and if there's things in the management system that don't work, then we need to question why are they there.  

 

Some of the common themes that came out which were quite good –  

 

  • They helped to identify and also manage business risk - and that's kind of like the number one topic that was a positive 
  • They were a good basis for setting objectives - the driving continual improvement 
  • Provides a framework, particularly around the quality management system providing customer satisfaction 
  • Encourages good employee engagement and that one particularly came out with the occupational health and safety management system, particularly with the requirements for consultation and participation.  

 

Some of the bad things: 

 
And again, this is a common theme: Even though the management system played a vital part in the organization, a lot of time there was insufficient resource.  

So, was there enough people actively involved in managing the system itself

 
Cheryl (Guest)   3:52 
So another issue was and defining competence so not necessarily that we had people that were not competent, but that management system really didn't understand the requirements is 7.2 particularly around different issues like competence for somebody that doesn't evaluate your compliance and it went back to a real weakness in the systems on defining competence in not just making sure that people have training for example, but understanding the real value in the management system to define competency and then ensure people are competent. 

 

A common theme again was do we do it really because it's the right thing to do and it's good for our business or do we do it to meet the requirements of certification?  

And if that's the case, then really a lot of time it was perceived as not adding value. 

 
And then the real ugly stuff, as will become as no surprise to anybody, was an overload on documented information: 

  • too many procedures that don't really add any value 
  • complex process controls when we could have simplified it 
  • does that actually represent what we're doing? 

 

A lot of the time when we audit management systems, we look at what they have in place and there's probably been in place for a long time as a document and that doesn't represent what they're actually doing now because what they're doing now has actually developed and enhanced and improved, but they haven't changed what's in the management system to actually represent what they're doing now, and that ends up as a non-conformity time after time. 

 

No commitment or understanding of top management: a couple of clients that I work with, I'm actually coaching Managing directors and I start talking in non ISO speak to get them to understand I'm and we'll talk about risk. We'll talk about SWAT analysis and Pestle analysis, business planning, strategic planning, and we don't talk about ISO. It's tying the two things up that tends to represent a  problem in most organizations, but what's we give top management the understanding and it seems to get better.

 
Curtis Thornton  Intertek  4:32 

Great! Thank you very much, Cheryl. That makes a lot of sense, and yeah! You’re right! Getting top management on board can at times seem difficult. However, once they are involved and understand the management system and ISO in more detail, it does make life a lot easier for everyone within the organization.  

 
That all makes an awful lot of sense, and particularly what you're talking about with top management. That does seem to be a common theme with some of our clients as well when speaking to them and getting top management on board and making them or helping them understand ISO management systems seems to be something that once done correctly, can actually add an awful lot of value to the overall effectiveness of the management system itself. So thank you for going through them.  

 

So just going it's a little bit more detail then.  How would you say that we start to address some of these issues and where do you start to improve management systems. 

 
Cheryl (Guest)   5:33 
Great question. I think a lot of times we need to get back to basics.  Particularly two things: If you're starting from scratch with the management system, you need to really understand the process based approach. But also, if you've got a mature system, perhaps we need to go back to basics and Quality 9001 really for me, describes properly what a process based management system is and it's clause 4.4.1 starts off with words like ‘The organization shall establish, implement, maintain and continually improve an effective quality management system and the processes required’ and then it goes on a little bit further. It starts talking about how processes link together.   

 

So what is a process? 
A process is something we do to turn something into something else, and the proper definition, by the way, is ‘interrelating activities that turn an input into an output with defined resource and defined controls.’ 

 
But it's basically something that we do to turn something into something else. 
 

And 4.4.1 doesn't just say establish what a process is or establishing processes, it talks about the sequence of the processes and the interaction one process has with another and if we get that right,  everything else is easy because we can define where are the risks associated with the process and if we know where there's a risk associated with the process, we can decide what control to put in place.   

 

That risk might be a business risk, a quality risk an environmental risk, a health and safety risk, a cyber risk. But if we understand the process and we define the risks associated with it, that helps us put the controls in place.  And when we're putting the controls in place then we can link things like, well, who's going to be responsible for managing and making sure that control works and what competency do they need to be able to fulfill their job role to make sure that their controls are put in place for that process are actually working.  

 

And we can go one step further because we can set some KPIs and some objectives. So we're bringing in all the different clauses of all the different standards because we understand the process.   So for example, 45001 says ‘identify hazards and assess health and safety risk’ - we need to understand the process activities to be able to do that. And when we know where the health and associates risks are we can apply the hierarchy of controls 8.1.2. When we know what the hierarchy controls are. We can communicate it to everybody. 7.4 -  we can get consultation, participation of workers 5.4.  

 

So it for me, it's always going back to that clause. 4.4.1 point one in 9001 -  understand the processes, the interaction, the processes, how one process impacts on another.  

 

If we go to environmental management where we know the process then we can establish where we have an aspect associated with that process, and where that causes an environmental impact, where it makes a change to the environment. 
And once we know that, then we can put the controls in place. We can have competent people. We can communicate. We can audit, we can monitor, we can review.  

 

And then the other thing is to check the documented information. Again, clause 4.4.2 in 9001 spells it out for me because it's saying ‘to the extent necessary’. Well, how much is that? How much does one organization need compared to another? So you decide. Having enough documentation to control the processes and have enough documentation to prove that the process did what you wanted it to do.  

 

And then have enough documentation to prove that the process actually did what it was meant to do is really important, because that's where the evidence is. 

 
I think with sometimes address some of these issues, particularly when assistance very mature, we have to go back to basics and going back to basics for me for any management system is really understanding what our processes are. 

 

Curtis Thornton  Intertek  9:41 

 

When you're talking about one management system that there's an awful lot of clauses that you need to look into. I quite like when you went into there was how they can be interrelatable and these management systems can actually work with each other. And of course, that's why from a business development manager perspective, I always advocate going for an integrated system because you can see   

The synergy between that and others that work well together.  

 
So just to summarize if you know the process and you have assigned that responsibility for the process clause 5.3 then you don't need to just use this for quality management. You can actually use this for environmental management, health and safety management and so on.  So once people take responsibility for process and understand that is all a management system is about, then the rest becomes easy. 

 
Use the process to identify the risk and again that's clause 6.1.1  and 6.1.2 , use the risk to decide on the control -  Section 8 - and then use that control to monitor Clause 9.1.1 - how it's working, and use the process to help identify any legal issues which is clause 6.1.3 and 9.1.2 and finally use the results to drive improvement which is section 10. 

 
So to finish, I'd like to thank Cheryl for taking part today and for her information surrounding management systems. It's been really useful. Any final words, Cheryl?

 
Cheryl (Guest)   11:25 
No I think you summed it up perfectly then, and hopefully people listening will realize if we go back to basics, sometimes it can help us really drive that continual improvement forward.  

 

But just remember that the good it works for the organization, meets the needs of the organization. That's the most important topic.
Needs to be lead from the top so that can become a bad or an ugly. If it doesn't happen, but maybe get top management bought in by getting them to understand actually what they're doing already, is part of what ISO requires, but just don't use the ISO speak, use business speak, and then use it to really drive improvement by understanding the processes where the risks are associated with the processes.
Putting the controls in place and then go a step forward and set objectives to improve.

 
Curtis Thornton  Intertek   12:16 
Great. Thank you very much, Cheryl and again, you know, for listeners it may sound complicated if you're new into management systems and of course ultimately myself and Cheryl are here to help. So if you'd like further help with training, certification or consultancy, please get in touch with myself, or get in touch via our website, which is www.intertek.com/businessassurance 

 
Have a great day. 
Thank you.