Clause 5.3 Organizational Roles, Responsibilities and Authorities

What are organizational roles and responsibilities?

Responsibility for the quality management system, surely that lies with the quality manager, doesn’t it? Sadly, this is a common situation and misunderstanding within businesses across the globe. You’ll no longer find the term “management representative” that might be familiar to users of ISO 9001:2008. However, just because the term no longer exists does not mean that the associated responsibilities have also disappeared.

I’ve lost count of the number of times that I’ve been sat in a management meeting only to hear the phrase “I thought you were in charge of that?” and a long line of similar phrases. Does that sound familiar to you? One of the main problems that arise when roles, responsibilities and authorities are not clearly defined is the lack of accountability.

That important audit should have taken place but was missed because it was not clear exactly who was responsible for planning and conducting it, is an example of responsibilities and authorities not being clearly defined. It might seem counter-intuitive but in small businesses, this is not a common problem. Small businesses with less staff are very good at defining roles and responsibilities however, the larger the organisation gets the more common the problem becomes.

Defined responsibilities and authorities are crucial to the success of any management system, quality or otherwise. If a member of staff has been given the hourly task of performing that all-important temperature check on a particular machine, then it’s vitally important that this ‘responsibility’ has been clearly assigned to the individual and that all staff affected by the process are aware of this. After assigning responsibility to a person, that person can no longer hide behind the excuse of ignorance during or after an audit. That kind of reminds me of a familiar statement:

• “Ignorance is no defence in law”
  
  

Why should responsibilities and authorities be documented?

Of course, this particular member of staff might also have been assigned the ‘authority’ to delegate this task to someone else as and when required. Although ISO 9001:2018 does not require that roles, responsibilities and authorities be documented, it’s a good idea to document them as part of the procedure for a process. That reminds me of an old auditors quote:

• “If you’re doing it, then why not document it”.
  
  

Having roles, responsibilities and authorities clearly defined within your management system, is a requirement of clause 5.3. The authors of ISO 9001:2018 understand that for a management system to operate efficiently, then correctly assigning roles, responsibilities and authorities is crucial for success.

Does your human resource department hold job descriptions and job advertisement details on file? I would imagine that they do and this could be a good way to document your various roles, responsibilities and authorities without the need for duplication and extra work. You might also draw an auditors attention to the company organisational chart which should highlight the roles, responsibilities and authorities for the top management roles.

Clause 5.3 begins with the familiar statement “top management shall ensure”. We’ve heard that statement before, haven’t we? Isn’t it pleasing to know that top management is now being reminded, in no uncertain terms, that they are a part of, and are ultimately responsible for the management system!

Clause 5.3 consists of 5 subclauses (a)-(e) and begins with a statement saying top management should ensure that roles, responsibilities and authorities are assigned, communicated and understood. The following statement requires top management to assign the responsibility and authority for:

(a) Meets the requirements of the standard

Although from a daily operational perspective, the responsibility commonly lies with a person under the title of quality manager or similar, anyone with a good working knowledge of the quality management system can be assigned this responsibility. When you consider that the quality management system affects everyone within the organisation, then it’s fair to say that all members of the organisation have a certain amount of responsibility to ensure that the management system conforms to the requirements of ISO 9001.

One of my major annoyances as a 3rd party auditor is finding that many staff within organizations who are deploying ISO 9001:2018 have not been given some very basic management system training that explains the fundamentals of what a management system is, and how it affects their personal role within the organisation.

The Need For Training

How can one expect staff to participate in a management system that they know nothing about? Let’s face it, management system language and requirements can be confusing at the best of times and will read (and sound) like a foreign language to the untrained. I’m not suggesting that every single individual has to attend a recognized ISO training course costing hundreds of pounds. Why not send department managers on this type of course? They can then impart their learning down to shift team leaders who can then provide a basic 30 min introduction to their team members.

Performing audits, observations, training and regular communication on aspects of the quality management system are all effective ways to ensure that the requirements of the standard are being met.

(b) Checking that your processes are meeting their intended outputs

Of course to do this, one must have a process established in the first place. This is essentially a measuring, testing, observations and results-based activity. It’s quite common for performance type objectives to be linked to a process such as a parts-per-minute objective. This type of objective will require observing, monitoring, data collection and reporting. The data gathered from the reports will often then be measured against key performance indicators and expected targets.

The final data set from this will be fed through to top management for review at a management review meeting. A top-level view of this scenario would indicate the requirement for a minimum of two responsibilities to be assigned, one for the data collection and the other for the data analysis. However, from a practical, there may well be various responsibilities assigned.

(c) Responsibility for reporting on the quality management system and identifying opportunities for improvement to top management.

Have you got a talent for reporting data back to top management by using a fancy-looking excel dashboard? Top management really likes looking at complex data sets that are displayed to them with fancy looking pie charts and animated graphs. Assigning responsibility for this role should go to a person with a creative flair and a talent for communication using a visual medium. This is a very dynamic role and the responsible person should be able to react to change and communicate it effectively using simple, visual means. Being able to identify opportunities for improvement is best made into a collective exercise and so it’s a good idea to assign responsibility for this across a particular group of individuals.

(d)The promotion of customer focus throughout the organisation

Remember back at clause 5.2 when I mentioned that the larger an organisation gets, the poorer they are at remembering the importance of customer focus. The various meetings that staff attend on a daily basis can often get so bogged down in mind-numbingly boring detail that remembering it all relates to the customer is often lost. Having to assign a role to an individual (or individuals) to promote the concept of customer focus has always seemed disappointing to me. This is because, as I’ve mentioned in chapter 5.2, everyone throughout the organisation should be trained and promote the concept of customer focus.

The person assigned the specific responsibility for this role should be involved with communicating data concerning the customer experience back to top management. This data should include:

• Feedback from customer surveys
• Opportunities to improve the customer experience
• Problems/ successes emerging from customer complaints
• Problems/ successes emerging from product/service delivery (logistical)
• The design of customer communication strategies
• How oobjectives supported by the policy are performing
  
  

(e) Responsibility for the integrity of the quality management system during change.

Maintaining the integrity of the quality management system on a daily basis is a constant and often difficult task. This is a part of the management system that you could say is closely linked to the role of the document controller. Individuals will often want to make changes to processes and procedures and by having a strong document control process, they can make those changes if approved and in a controlled manner according to the requirements of clause 7.5.

All changes that can affect the quality management system should be planned for and made in a controlled manner. There are a great many clauses within ISO 9001:2018 that this applies to but it gets a specific mention at clause 8.5.6 “Control of changes”.

Planning For Change

I’ve often been in the role of being the QHSE officer. During this role and on more than one occasion, I’ve walked across the shop floor and a new machine had suddenly made an appearance as if by magic. You would expect that I might have been consulted before that change happened so that issues relating to the change could be identified.

Issues such as:

• Possible noise pollution
• Material safety data sheet considerations for fluids
• Safe operating procedures
• Safety risk assessments
• Service safety procedures
• Fire/explosion safety
• Safety training requirements
  
  

And that is by no means an exhaustive list of possible issues that required careful planning before the new machine was purchased and subsequently deployed into active operation. Considering this, it’s quite easy to understand why a 3rd party auditor would not be happy when identifying this type of situation. This would leave large gaps within the management system and so the integrity of the system has been negatively affected. The issues of change for you will be dependent upon your organisational context.

The responsibility for ensuring that the integrity of the quality management system remains intact should be assigned to an individual who can enforce the requirements of the standard to ensure that they are understood, communicated and applied. Checks on this can happen by using observations, completed documentation, conducting internal audits and thorough analysis at management review.

Clause 5.3 requirements for ISO 14001:2015 & ISO 45001:2018

The requirements are pretty much identical however, there are only 2 sub-clause requirements which are:

ISO 14001:2015 does not require that roles, responsibilities and authorities be maintained as documented information. Clause 5.3 contains only 2 sub-clause requirements:

(a) The management system conforms to the requirements of the standard

(b) Reporting on the management system and on environmental performance to top management.

ISO 45001:2018 does not require that roles, responsibilities and authorities be maintained as documented information. Clause 5.3 contains only 2 sub-clause requirements:

(a) The OH&S management system conforms to the requirements of the standard

(b) Reporting on the OH&S management system to top management.

For Auditors

1. ISO 9001:2018 does not require documented information for this clause.
2. Investigate the existence of job descriptions.
3. Investigate the existence of an org-chart with associated roles, responsibilities and authorities.
4. Ask individual staff if they know who is responsible for….? (focus on the sub-clause requirements of clause 5.3 (a-e)
5. Ask individual staff if they know what their personal responsibility is within their role.
   
   

Some questions that I will answer in more detail in future articles include:

• What are the roles and responsibilities of ISO?
• What is role responsibility and authority?
• Do responsibilities and authorities need to be documented?
• Who is responsible for the quality management system?
• What are the organization’s responsibilities in establishing QMS?