Introduction to Management Systems and The High-Level Structure

Table of Contents

• Introduction
• PDCA (continual improvement)
• Risk-based Thinking
• The Process Approach
• What are the possible benefits of the process approach?
• Leadership
• The High-Level Structure (HLS)
• For Auditors

Introduction

Welcome to the interesting, boring, simple, complex and sometimes frustrating world of ISO management systems. My intention in writing this guide is that you might eventually find ISO management systems as interesting as I do. At the very least, I’m sure that if you use this guide as a constant companion, and refer to it often, you will find answers to some of the everyday problems you face in your daily ISO system management. At this point, it might be pertinent to ask the question “What is a management system?”. This is the question that I ask delegates early on when delivering one of my Introduction to Management Systems courses. Let’s see what answers a Google search returns to that question:

• A management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.
  (https://www.iso.org/management-system-standards.html)
• Management Systems are systematic frameworks designed to manage an organization’s policies, procedures and processes and promote continual improvement within. 
  (https://www.bsigroup.com/en-AU/About-BSI/FAQs/What-is-a-Management-System/)
• Management systems enable companies to manage complex cross-functional management tasks. 
  (https://innolytics-innovation.com/what-is-a-management-system/)
• In its most basic sense, a management system is how organizations ensure things get done.
  (https://onstrategyhq.com/resources/what-is-a-management-system/)
• A management system is a systematic view of the organization to define how it creates and retains customers.
  (https://www.marketing91.com/management-system/)
  
  

And the list goes on! All of these are valid descriptions of what a management system is, and I would agree with them all. My personal definition of a management system is greatly simplified:

• A management system is a tool for improvement.
  (P. Ingram)
  
  

I suppose my definition of a management system describes the ultimate aim of what it is trying to achieve, that being continual improvement. Modern management systems achieve this by incorporating the principle of Plan, Do, Check, Act (PDCA). There are some key themes to modern management systems including:

• PDCA.
• Risk-based thinking.
• A process approach.
• Leadership.
• High-level structure (HLS)

PDCA (continual improvement)

Clause 6: Planning is where you are required to take actions to address your risks and opportunities. Clause 4.1 Understanding the organisation and its context and Clause 4.2: Understanding the needs and expectations of interested parties provide much of the content for clause 6. A great tool to help you with the early requirements of clauses 4.2 & 4.2 is called a PESTLE analysis. I will provide information about performing a PESTLE analysis during these chapters. Clauses 4.1, 4.2 and 6 are the ‘Plan’ stage of the PDCA cycle.

Clause 8: Operational planning & control is where the results of this planning are put into practice. This is where you are controlling all aspects of your manufacturing, safety, environmental and service delivery. This is the ‘Do’ part of the PDCA cycle.

Clause 9: Performance evaluation is where you take an inward look at yourself with monitoring and measuring, internal audits and management reviews. You do this to ascertain if the plans you made in clause 6 and put into practice in clause 8 are performing as they should be. This is the ‘Check’ part of the PDCA cycle.

Clause 10: Improvement is where based upon the results of your monitoring and measuring activities of clause 9, you make plans to improve any and all aspects of what you do as an organisation. This also includes designing and implementing any corrective actions against non-conformances raised during internal audits. This is the ‘Act’ part of the PDCA cycle.

Clauses 5: Leadership and 7: Support plays a supporting role in the PDCA cycle by requiring complete management commitment and the provision of training and resources for the management system to function effectively.

Risk-based Thinking

ISO 9001:2015 describes risk as:

• The effect of uncertainty.
  
  

To understand this, think of an event either planned or unplanned that is about to occur. If the outcome of this event is unknown, then there is a risk of uncertainty. Of course, risk can have both positive and negative outcomes. For example, imagine purchasing £100 worth of lottery tickets. If the outcome is a win (more than £100) then the risk is a positive outcome. Conversely, if you don’t win on any ticket then the outcome is negative and you have lost £100.

From a management system perspective, risk-based thinking is about maximising any opportunities and planning to mitigate all risks so far as reasonably practicable. Adopting a risk-based approach is nothing more than constantly asking yourself questions that begin with ‘what if?’.

What if:

• We invest in new technology, will see a positive return on our investment?
• We fail to meet the needs and expectations of our customers?
• We if we cannot afford to provide the required safety/environmental training?
• We invest heavily in a social media marketing campaign, will see a positive return on our investment?
• We switch to an all-electric fleet, will that save us money and gain us new, environmentally aware customers in the long-term?
  
  

By planning to address both risks and opportunities regularly you are adopting a proactive approach. The alternative to this is simply reacting to a crisis as it occurs, which is both time-consuming and costly. To understand a risk-based approach from a management system perspective, think about the internal audit function. If you read the detail of clause 9.2.2(a) you will find the phrase “the importance of the processes concerned”. It is part of the requirement for planning your audit schedule. I get asked to explain this phrase quite often during the delivery of my Internal Auditors Course. It simply refers to a risk-based approach when planning the audit schedule and refers to auditing your high-risk processes more often than low-risk processes.

You can apply a risk-based approach to every clause of the standard by simply asking yourself ‘what if?’. Of course, adopting a risk-based approach has nothing to do with the clauses of the standard, but has everything to do with the philosophy and culture of how you manage your organisation.

In industries where safety and environmental legal compliance is a high priority, then adopting a risk-based approach is essential. For example, if fire and explosion have been identified as likely to occur, this risk would require more stringent safety controls when compared to operating a powered hand tool. The safety controls would not simply be a risk assessment, but would also include a permit to work, method statements, emergency response procedures, specialist training, observations and monitoring etc. I know that all this is very obvious in this example but the philosophy behind a risk-based approach is to apply this to all aspects of everything that you do.

The Process Approach

The ISO organisation describes the process approach as:

“a set of interrelated or interacting activities that use inputs to deliver an intended result”

The process approach describes managing all of your activities as a holistic whole instead of individual parts operating in isolation. Sometimes referred to as ‘Horizontal Management’ connected processes flow between departmental boundaries. The process approach asks you to consider and plan your processes in their entirety as opposed to just focusing on the ‘activity’ part of a process. This entails considering the inputs to the process, the activity and also the outputs produced by the process.

For example, consider your car journey to work from a holistic, process approach perspective:

Process: Car journey to the workplace.

Resources: vehicle, operator, route planner(?)

Inputs: fuel, oil, water, vehicle service, MOT check, car tax, navigation system(?) competent operator.

Activity: start the engine, operate the vehicle safely, and drive according to a planned route.

Output (desired): to arrive at an expected time, to arrive safely and without accident.

Criteria: observe legal speed requirements, observe and obey traffic lights/signs, arrive at a specified time, and operator trained to legal standards.

If you consider that description from an auditor’s perspective, there are many items to check for. One of the activities from my Internal Auditor Training Course requires the delegates to describe a process that they are familiar with at work from an auditing perspective. A great many of them simply describe the activity part of the process. They fail to describe the resources, inputs, outputs and criteria for the process. Explaining the process using the example provided above comes as quite a ‘light bulb’ moment for many delegates.

Processes very rarely exist in isolation. The output from one process is often the input to a connected process. The process approach encourages you to consider this when planning and monitoring your processes. The beauty of operating according to a planned process is that it provides all interested parties with a unified road map and direction to follow. Processes help to define interrelated activities and provide the opportunities to design checks so that the expected outcomes can be achieved with consistency. Processes have the added advantage of enabling you to identify ‘points of failure’ and calculate potential risks.

With this in mind, one can see that the risk-based approach, PDCA and a process approach all help to contribute to the success and continual improvement of management systems. Another key ingredient to the success of the process approach is the ‘process owner’. All processes should have an owner/s. By doing this you can define the terms of responsibility and accountability. This is crucial because without it a worker can simply avoid any interest in the success of a process. It’s for this reason that clause 5.3 Roles, Responsibilities and Authorities is important and useful. It is very useful to establish a process management team that includes representatives from various interacting processes and functional departments. The ultimate aim of this team is always to look at reducing risk in processes and to find ways to improve processes and process interactions.

What are the possible benefits of the process approach?

• A focus on the more important (“high‐risk”) processes and their outputs
• improved understanding, definition and integration of interdependent processes
• systematic management of planning, implementation, checks and improvement of processes and the management system as a whole.
• better use of resources and increased accountability
• more consistent achievement of the policies and objectives, intended results and overall performance
• process approach can facilitate the implementation of any management system
• enhanced customer satisfaction by meeting
  (ISO.org)
  
  

Leadership

I think that it would be pertinent to first define the difference between management and leadership. Influence and inspiration are what differentiate leadership from the power and control of management. Managers exercise control over subordinates through circles of power whereas leaders create circles of influence. Leaders have people who follow them while managers have people who work for them.

In the previous 2008 version of ISO 9001, there were just four items relating to the commitment from top management. The current 2015 version requires top management to commit to 10 separate items. This fact alone demonstrates the importance the authors have placed on leadership when implementing and maintaining the management system.

The continued success of the management system across all areas of the organisation will depend heavily on the enthusiasm and inspiration of top management. I’m sure you have been in a work situation where you have felt like it is ‘one rule for them, but a separate rule for the rest of us’. Top management must create a positive, organisational culture for the management system that promotes the benefits of continual improvement. If there are pockets of resistance that exist between departments, the management system will struggle to achieve the full benefits that it could deliver. Only complete commitment and championing of the management system from top management will enable it to achieve its full potential.

The High-Level Structure (HLS)

This is the attempt to harmonise the structure and core text of modern management systems by providing authors and developers with standards guidance known as the ‘Annex SL’ directive. The fundamental aim of the HLS is to make all future management systems align more closely and enable the design of an integrated management system to be made less complicated. Management systems authored according to the HLS will have a common structure and also use many of the same terms and definitions.

Annex SL, now renamed Annex L (2019) has been deployed and in use since 2012 and has received a welcome response from all interested parties. Although not perfect, the HLS structure and core text are essentially ‘standard independent’ meaning that they can be applied to any management system. Extra requirements and definitions that are specific to a particular standard are then added to make it unique. This means that users who are familiar with the core text and structure of the HLS will find it quite easy to understand and navigate between standards such as ISO 9001, 14001 and 45001 etc.

The Annex SL structure consists of 10 common clauses within which all content in future Management System Standards must be developed and presented included. A brief description of the 10 clauses are:

• Clause 1 – Scope: This defines the intended outcomes of the particular Management System standard.
• Clause 2 – Normative references: Describes references and standards that are relevant to its publication.
• Clause 3 – Terms and definitions: Definitions of the common terms used within the publication are described here.
• Clause 4 – Context of the organisation: The foundation requirements that will influence the entirety of the management system, and how it is implemented and effectively maintained. This is the first part of the standard that contains auditable requirements and requirements for documentation. This section also contains a requirement for you to declare what will be the scope of your management system.
• Clause 5 – Leadership: This section contains a large upgrade of the requirements placed upon top management when compared to the previous 2008 edition. Accountability for the success of the management system now clearly lies in the hands of top management. Top management is now required to lead and champion the management system to all interested parties.
• Clause 6 – Planning: Requires you to make detailed plans for the assessment of risks and opportunities. Much of the content for these requirements come from the activities you performed in clauses 4.1-4.4. This clause also contains the requirements for setting objectives and managing change.
• Clause 7 – Support: Describes the requirements for resources that will enable you to implement and maintain an effective management system. Resources include infrastructure, competent persons, communication strategies and document control. Top management is required to provide the resources necessary to achieve continual improvement for the management system.
• Clause 8 – Operation: For ISO 9001:2015 this is by far the largest section of the standard and the cause of much stress for process managers. ISO 14001:2015 & ISO 45001:2018 contain far fewer requirements when compared to ISO 9001:2015 in this section. This section contains all of the requirements for the successful operation of your product production and/or service delivery.
• Clause 9 – Performance evaluation: This is where you are required to take an internal look at yourself. Where you are required to monitor and evaluate all of the plans that you made in clause 6. The data produced during this phase is used as the input to clause 9.3 Management Review. The output from the management review is used as the input to the following clause 10 Improvement.
• Clause 10 – Improvement: This is the final phase of the PDCA cycle where you are required to make improvements. Improvements might be the result of corrective actions, brainstorming, problem-solving, customer feedback and data analysis. Continual improvement is the skeleton that supports the entire management system and it is the sum of all of its parts. Without achieving continual improvement, the management system is failing to achieve its fundamental function.
  
  

These are the common titles that are to be found in all future standards that are authored according to Annex L. Most of the first-level sub-clauses will have the same titles also such as clause: 7.1 Resources. However, once you get to the second sub-level clauses things will begin to differ between the standards and become specific to that particular standard. As mentioned earlier, this now makes navigating between standards much easier when compared to the standards that were not authored according to the Annex L structure.

Because of the commonality between clause titles, core text and requirements, this book will place its focus upon the requirements of ISO 9001:2015. However, where there are different or extra requirements for ISO 14001:2015 & ISO 45001:2018 I will discuss these requirement details at the end of each chapter.

For Auditors

I will include a short section at the end of each chapter to suggest a possible audit trail for the clause requirement. However, please remember that auditing and audit trails for investigation are an individual thing. My audit trails are just basic suggestions to get you started if you are new to auditing. Each audit situation will vary according to the organisation and the environment that you are auditing within.

There are many items within an audit that are pretty much standard fare such as investigating:

• 7.5 documentation requirements
• Competence and training
• Communication
• Roles, responsibilities and authorities
• Monitoring and measuring
• Objectives and targets
  
  

I’m mentioning this now because I don’t plan to repeat these common auditing items at the end of each chapter as that would get very repetitious. My personal approach to auditing is to investigate the culture of the management system under the leadership of top management. Following this, I investigate how the organisation is managing their risk in relation to its interested parties. After that, I’m looking for evidence of continual improvement. This is my high-level approach to the auditing of a management system. Auditing beyond this entails requirement specifics according to the particular management system. If you are being asked to perform a 1^st party (internal) 2^nd party (supplier) audit then I would highly recommend attending an internal auditor training course that is based upon the recommendations of ISO 19011: 2018.