This article is particularly relevant to organizations seeking to transition a quality, environmental, OHS, or information security management system to the latest standards.
For a management system to be really successful, it needs to be inspired and led from the top.
Ask most CEOs if they are committed to quality, environmental, OHS, or information security management and the answer will almost certainly be...Yes. Few are likely to be brave or foolhardy enough to state...
- "No, we firmly believe in providing a poor service”, or
- “It’s just hard luck if our workers get injured”, or
- “We poison the planet, and we’re proud of it”, or
- “We don’t worry too much about security - hopefully, it takes care of itself”.
No, of course not. Top management is definitely committed to the QMS or IMS. Look, it says so on the policy statements on the wall in reception, signed 5 years ago by the CEO before last. While the above is a little tongue-in-cheek, it does illustrate that in many cases, we don’t have to scratch the surface very hard to reveal that commitment to be a little thin. An annual one-hour management review, and delegating everything else related to compliance and risk management to someone that already has a full-time job is not really evidence of a genuine commitment. So, what is?
Policy and Objectives
Well, let’s start with policies. These are the peak documents of your management system – a declaration of intent if you like. The over-arching policies should be reviewed at least annually, and updated as necessary. If there is a change of boss, they should also be reviewed at that time, and signed by the new boss. Most importantly, they should be shared with everyone in the organization. After all, with a policy, the boss is really stating “This is what I want to happen”. Therefore, everyone involved in the organization should at least know about it. There are plenty of no-cost or low-cost ways of achieving that e.g. including in a newsletter, blog, intranet, web sites, at induction – even just talking about it at team meetings.
The policy should be supplemented by setting some strategic objectives that are consistent with the wider aims of the organization. In a commercial business that may include the obvious – making a profit!
All management system standards require the participation of top management in periodic reviews of the system, and it’s a favourite subject of auditors seeking evidence of compliance. The management review should not just be a hurried exercise to comply with a standard. It should be a genuine business review and planning session.
Sure-fire evidence of commitment is when allocation of sufficient budget and resources is made for the system to achieve the purpose stated in the policy statement. Now, there’s the core of this particular issue - sufficient allocation of budget and resources. Developing and improving a management system takes time and money. Some are just not willing to really commit to that. The perception might be that the alternative option of NOT investing in their system is a cost saving. However, there is no free alternative. The reality is that NOT having such a system can take up EVEN MORE time and money, and result in the organization being exposed to significantly greater risk. It’s just that we can get used to the day-to-day inefficiencies, errors and omissions. They are just not identified and managed.
So what’s new?
The latest series of ISO management system standards expand their previous requirements for commitment to also require leadership. In the new common high-level clause structure, these requirements are universally in clause 5 ‘Leadership’. The change of emphasis is highlighted in the wording of the relevant standard clauses. Where a requirement states that top management shall ensure that something is done, they may satisfy that requirement by allocating sufficient budget and resources for someone else to do it (as mentioned above). However, when a requirement states that top management shall do something, it means exactly that. Top management shall do it. It’s not enough to delegate the job to someone else.
In the ISO 9001:2015 Quality standard, the General section of the Leadership clause lists 10 requirements for top management to demonstrate their leadership and commitment with respect to the QMS. Of those requirements, 4 use the term ‘ensuring’ – allowing delegation. The other 6 all require direct action by top management themselves. One requirement is to communicate the importance of effective quality management. Auditors can be expected to ask top management directly how they do just that, and to also seek evidence. What would be appropriate evidence? Well, examples might include records of reference being made to the subject at management or team meetings, in blogs, internal newsletters, or inclusion in job descriptions.
The other standards have almost identical requirements relating to their own topics. What they are essentially looking for is top management really taking ownership of the system and playing an active role in it. For some organizations, that will already be the case. For others, there may be a way to go.
One particular requirement in ISO 9001 that may pose a challenge for many is for top management to promote the use of the process approach. That, of course, requires top management to first understand the process approach themselves. As the previous 2 editions of ISO 9001 (dating back to 2000) also referred to taking a process approach to the QMS / IMS, the concept should theoretically be well understood by now. Unfortunately, the reality is that is not the case in a large number (perhaps the majority) of organizations. The 2015 edition places much more emphasis on the process approach, and introduces some specific requirements (as highlighted above). Many will therefore be paying serious attention to the topic for the first time. Qudos has worked with clients for over 10 years to implement the process approach, and both a discussion and document templates are included in our Quality Manager Toolkit.
Every organization transitioning from old to new standards will need to analyse the new requirements, then consider any gaps in their compliance, and what is needed to address those gaps.
Acknowledgement: Team Leader image courtesy of renjith krishnanat FreeDigitalPhotos.net