Expanding a QMS into an IMS - Your questions answered

Q: We currently have ISO 9001 certification for our QMS and intend to expand that system to also cover OHS, Environmental and possibly Information Security management. What standards should we base the system on?

A: Unless you have any specific legal or compliance obligations to the contrary, the typical choices would be:

• ISO 9001 for Quality
• ISO 45001 for OHS
• ISO 14001 for Environment
• ISO 27001 for Information Security

 

Q: What does an IMS or integrated management system really mean?

A: It means having one management system that addresses multiple compliance and risk management topics e.g. Quality, OHS, Environment, Information Security etc. Depending on your industry sector and the nature of your business, the system may also address other topics, such as food safety and supply chain security.

There should be one person with overall responsibility and authority. They may be assisted by a team with specific skills and knowledge. There is typically a ‘Management System Guide or Overview’ or over-arching document that explains the system, a set of common administrative procedures, and common methods of addressing similar requirements of different standards. Increasingly, software applications are used to aid efficiency of integrated management systems. That enables shared methods to be used, with enhanced data collection and analysis to facilitate improved decision-making.

 

Q: What are the major benefits of integration?

A: Probably the greatest benefit is eliminating duplication of effort.  All the standards have requirements that can be planned and managed using the same methods and resources. Examples include documentation, document control, setting objectives, internal audits, and management reviews.  It is generally more cost-effective to handle these and other requirements in one system, rather than in multiple silos. Let’s take a look at potential cost savings related to just some of the possible examples:

• Documents - Your IMS may have a common, documented procedures for subjects such as records management, induction, training, internal audits, dealing with nonconformances, and corrective action. There would also be many other potential areas for common procedures.
• Document control – Your IMS may have a common method of making documents available (e.g. through a common server folder structure, or a dedicated software application with filter / search facilities).
• Implementation - Many practical controls can satisfy the requirements of 2 or more standards. SO, it makes sense to plan and implement them in an integrated manner.
• Internal audits – While in a business unit or location, an internal auditor can perform audits across multiple standards.
• Management review – Your top management team could conduct their periodic review of the IMS using an agenda just slightly expanded from a standard QMS agenda – instead of carrying out separate reviews.

Getting an integrated system certified will also cost less than getting multiple, separate systems certified.

Having a single, integrated compliance and risk management system can also make it easier to build awareness, and increase the understanding, and participation of your workers.

 

Q: We have a Quality Manager, a Safety Manager, and a CIO. If we build an integrated system, who should be in overall charge of it?

A: There are no set rules about that. People with a Quality systems background tend to be strong on document and records control and general administration. While people with a Health & Safety background tend to have a greater understanding of risk assessment and risk management. That is of course, a sweeping generalisation, and the answer for your organisation would depend on the capabilities of the individuals, and other factors. Many larger organisations have someone like a ‘Compliance Manager’ in overall charge of the system, supported by a team of specialists in various topics as applicable – such as environmental, information security etc.

 

Q: We already have existing ISO 9001 certification. Can additional certification to ISO 27001 and other standards be added to that?

A: Yes. Additional standards can be added to your existing certification – even if your systems are not integrated across the standards.

 

Q: Will we save money on certification by having an IMS or integrated system?

A: Yes. Having an integrated system can reduce the audit time by up to 20% and therefore, reduce the cost of your audit. Apart from saving on the fee charged by the CB (Certification Body), there will also be a saving or your own labour in attendance at the audit.

If your system isn’t integrated from the outset, you can still work on integration, and the CB can reduce your audit time accordingly when the system is integrated. Any level of integration can contribute to reduced audit hours – and cost.

 

Q: Can our existing auditor / certification body do the additional audits?

A: If your existing certification body is accredited for the additional standards, they will be able to add extend the scope of the audit.

Your existing auditor may be qualified to conduct audits with the additional standards, but if not, the certification body should be able to make other suitable arrangements for you - such as adding a specialist auditor to the team.

 

Q: Can we use a single software application to manage our IMS or integrated management system? And if so, how will it do that?

A: Yes, you can. Qudos³ is designed on a modular basis. Those modules are focused on common requirements across a wide range of management system standards e.g. Objectives, Document management, Internal Audits, Actions for improvement and to address nonconformances, Risk management etc. Records within those fields may be categorised as you wish. This allows you to maintain a single integrated system, but to create records, query the database, and generate reports related to the subject matter you are interested in at any given time. It also contains toolkits for Quality, OHS, and Environmental, and Information Security management.

The above answers are general in nature, and every situation can be a little bit different. If you are looking at expanding or integrating your management system, we would be happy to discuss how best to meet your specific needs and requirements.

Your next step?

For an organization looking to expand its management system to also address other standards, the first step would be to perform a Gap Analysis. That is an examination of how well the organization’s current controls meet the requirements of the standard. The analysis report identifies the starting point of the journey and how much needs to be done to get to the desired outcomes.

Qudos³ software includes fully integrated Gap Analysis tools for ISO 9001, ISO 14001, ISO 45001 and even the very recent update of ISO 27001.

Qudos can also provide a professional Gap analysis service performed by qualified and experienced certification auditors in the relevant topics.

Contact us now for further details.