This article is particularly relevant to organizations seeking to transition a quality, environmental, OHS, or information security management system to the latest standards.
In risk management, the first step has always been to establish the context of the risk. For example, what is the process or activity being considered? what objectives relate to it? who are the stakeholders or interested parties? what will be the criteria for evaluating the risk? As management system standards move towards a more risk-based model, it therefore makes sense that they take the same approach. All the latest management system standards (such as ISO 9001:2015, ISO 14001:2015, ISO 27001:2013 and the draft of the new ISO 45001 for OHS) require organizations to gain an understanding of their context, then identify the significant risks and opportunities they face and need to address.
So, what is meant by the context of your organization? The context of your organization might be considered as the combination of internal issues and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the management system and its intended results. At first, trying to understand the context of your own organization might seem a daunting prospect. Where to start? What to include? One approach might be to conduct a PEST and SWOT analysis. Those acronyms and tools are described below.
A PEST analysis (political, economic, social and technological) identifies factors of your organizations' operating environment or market (including competitors). This term is often expanded to PESTEL - to include environmental and legal factors. This can assist you to identify external threats and opportunities that you may then build into a SWOT (strength, weakness, opportunity, and threat) analysis. In a SWOT analysis, external factors are assessed as being either an opportunity or a threat. Internal factors are assessed as being either a strength or a weakness. Usually each item assessed would also be given a value of importance or influence (say, Extreme / High / Medium / Low, or on a scale of 1-5 or 1-10). Some examples of factors are:
Government policy affecting income or operations.
Intervention in the marketplace.
Stability / instability.
Foreign exchange rates.
Barriers to market entry.
Standard of living.
The technology that is currently or potentially available.
Digital disruption (creating opportunities or risks).
Other external infrastructure.
Applicable legislation (at various levels of government) - this may be general (such as industrial relations, health and safety, or environmental legislation), or industry-specific.
Resources (business infrastructure)
Plant and equipment
Information and communications systems (hardware, software, and networks).
Utilisation of those resources.
Physical factors (e.g. temperature, humidity, space, airflow, cleanliness).
Human factors (e.g. roster or shift arrangements, opportunities for social interaction, and individual development).
Performance, values and ambitions
Customer satisfaction ratings (e.g. survey results, net promoter scores, or other feedback), Corporate vision / mission statement, development plans.
Every industry sector and organization may have a slightly different context. Therefore, the above should be seen as an example only.
If you perform a PEST or PESTEL and a SWOT analysis, there will inevitably be some factors that you identify that could fit into more than one category. For example, people increasingly using social media for communication might be a factor that affects some organizations. Is that a Social factor or a Technology factor? A case could be argued for both. Ultimately, does it matter what category the factor belongs in? The key thing is that you have identified what might be an important factor in the context of your organization. You can then go on to assess its significance and plan actions accordingly.
This exercise of understanding the context of your organization should provide a solid foundation for the development of your management system. It should give you a clear idea of the issues you face, which will put you in a good position to plan and implement your system. Monitoring and reviewing the context will aid its continual improvement.
Should this step be documented? Well, the standards do not specify that as a requirement, but you need to consider:
- How would you best go about building your understanding of the context of your organization?
- How would you ensure that the factors are monitored and reviewed over time
- How would you demonstrate to an auditor that you have determined the factors, and have monitored and reviewed them?
Documentation may well be very useful to maintain and demonstrate compliance.