The future of management systems standards & auditing implications
With some of the world’s most widely used ISO standards - including quality, environmental and health and safety - currently being revised by ISO Technical Committees, Paul Phyall, Senior Vice President LRQA Asia, recently explored the wider implications of these revisions for the assessment industry and the organisations they serve.
During the recent IRCA 12th Forum held in Japan - with a theme of ‘Helping Business to Succeed’ - Phyall delivered a keynote speech on the future of management systems standards and what organisations worldwide should expect from robust independent audits.
"Prior to the last significant update in 2000, the world’s leading quality management system standard ISO 9001, along with many of the other ISO standards, was purely a conformity assessment standard. Following the changes, which were rooted in key quality management principles, the standard became not only this, but also a framework for managing and assessing organisations against accepted management best practice. So as the world waits for the next updates to quality and environmental (which are currently scheduled for 2015), as well as health and safety, it is a good time for us to explore the implications for the assessment industry and to examine how the standards of the future should or may look.
Over the last 13 years, the shape of organisations has changed immeasurably, and as such the assessment industry has reacted by extending their focus beyond the certificate to an assessment approach linked to organisational strategic objectives. Organisations today are ‘open systems’; by this I mean that they affect and are affected by the environment and clearly all organisations are linked to the external environment whether they produce goods or provide services.
Organisations can be at the beginning or end of a supply chain or anywhere in between. They can range in size from being relatively small to massive multi-nationals. However, they are all made up of people and have a management structure that determines relationships between the different activities and the members, and sub-divides and assigns roles, responsibilities and authorities to carry out different tasks. Whilst, no two organisations are alike, they do have a shared need – irrespective of their size, shape or geographical location – and that need could be summarised as ‘one multi-disciplined management system intended to manage and mitigate business risks and identify areas for improvement which in turn can lead to opportunity’. To support this vision, organisations want - and crucially need - auditors who understand the complexities of businesses and the sectors within which they operate and are able to audit across a range of disciplines.
So moving back to the external environment, an organisation will have many stakeholders. Stakeholders can be defined as those that provide or control or influence and those that receive. Whilst many organisations spend substantial percentages of their annual budgets analysing their stakeholders’ individual and collective needs, the savvy organisation knows to prioritise them in relation to their business strategy. It is important that an organisation understands and defines their measures for success and finds a realistic balance, for example investors versus customers versus community. This is where the role of the management system becomes pivotal to the success of the organisation as designed appropriately and implemented well, it will be able to manage known risks, measure performance and be prepared to react to results. Naturally, organisations need to continually monitor their stakeholder needs as these will change – often without warning – but clearly these needs can be managed largely through a management systems-based approach. So how will this change with the upcoming ISO standard revisions?
Let’s start by considering the Annex SL requirements - the common text and structure adopted by ISO that will be utilised in all management systems standards going forward – and one of the key areas of Annex SL, specifically Organisational Context.
Organisational Context requires the determination of external and internal factors that are relevant to the organisation’s purpose and that affect its ability to achieve the intended outcomes of the management system.
This will have significant implications for the design of the management system and the alignment of strategy and structure within organisations. For LRQA’s auditors, they need to be able to understand these external stakeholders and how they impact a company and its management system: So taking all of the points above relative to stakeholders into consideration, you can appreciate how complex organisations can be both internally in their set-up and externally in respect to their stakeholders.
The second major external factor is technological advances which are triggering change. The management of change is a critical factor in the success of an organisation. The business world is moving at the speed of thought and many organisations – irrespective of whether they are competitive or not - need to change to remain efficient or increase competitiveness.
However, with change there is risk. Risk of overspend, risk of losing control, risk of failure, so with all of these factors, it is vitally important that change is managed effectively to mitigate risk. As a consequence, any management system must have processes in place to manage change and in turn, the auditing profession needs to be able to identify and manage more in-depth risks – risks that might not even be on our radar at the time of writing – in order to deliver against this greater future focus on the management of risk within management systems as we move through the ISO standards revision process.
But let’s not be blinkered in our thinking; the future of management systems standards is upon us now.
There are now hundreds of auditable management systems, with many organisations operating a number of certified standards through an integrated management system. The introduction and subsequent adoption of Annex SL has the potential to bring about real improvements in the way in which management systems operate. We have already touched on the implications of ‘organisational context’ and ‘management of risk’ for the forthcoming revisions to ISO 9001, ISO 14001 and OHSAS 18001 but Annex SL will also deliver increased functionality in the realms of Leadership, Change Management, Performance and the Integration of Different Systems.
Clearly, organisations will need to know, monitor and manage risks and ensure an ideal level of performance is maintained. Increasingly, organisations will need to rely on technology to remain competitive or remain useful to their stakeholders.
So now let’s turn our focus inwards and consider what organisations currently expect from auditors, particularly third party auditors. For the sake of clarity, these are listed below:
• Compliance; that their management systems are compliant with international standards.
• Reputation; they need an auditing organisation which will support their reputation and will also go some way to protecting their own reputation
• Risks and opportunities identified; mitigating risk through the delivery of robust audits that can also deliver opportunities for improvement
• Minimum disruption; often spanning multiple sites and geographical locations, assessments need to be conducted by calibrated auditors to ensure consistency of assessment on a global level with minimal disruption to the business
• Value added audits by providing value to the business which results in improvements in efficiency and as a result cost savings or competitive advantage
• Management systems specialist; auditors must have technical expertise and be knowledgeable and experienced in management systems and the sector within which they operate
• Assurance; ultimately organisations are looking for independent assurance that their organisation is under control and well managed through effective systems.
Fast forward to 2015, the current date being forecast by ISO for the release of the revised quality and environmental ISO standards, and will the landscape have changed? In my view, yes. Going forward we can expect organisations to expect that their chosen certification body is:
• Knowledgeable and experienced to audit requirements for multiple management system standards.
o Auditors will need to be qualified, experienced and knowledgeable in multiple management systems as we will experience more integration and ultimately lead to one business system - which in itself will create better control and efficiency and less risk.
• Knowledgeable and experienced to audit beyond the requirements of management system standards.
o By this we mean the delivery of bespoke second party auditing solutions tailored to meet the complex needs of today’s successful organisation often spanning global supply chains.
• Highly trusted, respected, confident and able
o Put simply, an auditor will need to be bilingual; they will need to be able to speak the language of the boardroom and the shop floor. They should be strategists with an ability to provide senior management with confidence in their operations and should be seen as a valued partner who understands organisational strategy and can include strategic and tactical level risks in audits.
So as we look towards 2015, many of the assessment requirements to meet the new ISO standards updates are already being put into practice by our global network of auditors.
Auditors will need to keep well-informed with business developments and create value in what they do. Whilst the nuances of what the revisions will mean for auditor requirements are still to be determined, let us not ever underestimate how important our profession of auditing is to ensure risks are mitigated, improvements identified and assurance is provided to organisations worldwide.
With these principles in mind, there is clearly a need for the profession of auditing to be recognised for its diversity, complexity and competence and how it continues to add value to society and the business world at large, not just today, but into the future too."
A copy of Paul’s presentation can be downloaded here.