By Inderjit Arora
Every company uses a system to understand the requirements and inputs of its customers, and then plans to deliver outputs meeting those requirements as a conforming product or service. The International Organization for Standardization (ISO) publishes management system standards that, when correctly interpreted, enable companies to systematically and consistently provide desired outputs while addressing risks.
Using the framework provided by ISO, companies can design systems and processes that work together to deliver desired outputs (i.e., products or services). An organization should endeavor to define its outputs accurately, after understanding customer requirements, both stated and unstated. ISO standards allow companies of any size and industry to implement them; hence, a lot is left open to interpretation.
Despite this, certification to these management system standards delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO management system certification, such as ISO 9001, gives confidence of a certain basic framework being implemented and followed.
Risks are identified in the context of the organization. The organization’s core process derives its objectives directly from the company policy. Key and support procedures ensure that these objectives are met in order to deliver a confirming product or confirming service.
Why ‘ISO-ized’ systems fail
This understanding of how a management system works to deliver products and services must be understood in the spirit of the ISO standard. The standard is not like a magic wand that will guarantee excellence or success. It needs careful interpretation to design the processes necessary to meet stakeholder requirements. Unfortunately, many companies try to “ISO-ize” their management systems by simply writing processes and procedures around the standard’s clauses, with no regard to whether the processes or procedures make sense for their business. Many ISO-ized management systems fail to deliver sustained success because such systems can’t deliver the feedback that a good system should.
Processes must be documented around what users actually do. These processes then need to be resourced, controlled, monitored, audited, and reviewed for continuing suitability, adequacy, and effectiveness. Organizations blunder into believing that ISO-izing their systems is the panacea to all their problems. It is not. Management systems documented to reflect a standard’s clauses only benefit external auditors of the systems. Auditors and auditing are an integral part of a system, but they are meant to provide objective inputs for improvements, not to dictate how the system functions. Good management systems should be documented for easy use by their users.
The process approach to systems
A process-based approach is fundamental to implementing a management system. Success in implementing ISO management standards—for efficiency, managing risk, security, environment, aerospace quality, food safety, or whatever—lies in a good plan that accounts for system risks, given the organizational business context. Ideally, a management system should capture the “as-is” of the system, compare it to requirements, and identify any gaps between the two. This enables the design of new procedures and an update of existing procedures. A process approach is designed to meet measurable objectives, ones that are based on the policy of the organization’s leadership. System users do the work to meet the objectives, and the procedures must capture the “how” of what they do.
The relationship between understanding requirements, risks, and inputs to creating the policy should be systematically considered when designing a management system and prior to resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership throughout the entire implementation process, i.e., from planning and implementing to monitoring and reviewing for performance for improvement. This motivates top management to take personal ownership of their management systems.
ISO management system standards are not prescriptive and need interpretation by users of the system. Using the plan-do-check-act (PDCA) cycle approach, leaders convey their policy to the system users. The system ensures adequate controls and resources so that outputs correlate with inputs and meet measurable objectives as set. The system allows for feedback to be captured, so risks and opportunities for improvement are identified and addressed in a timely manner.
As for the auditors, let us encourage them to use their innovative approaches to identify how the system meets the standard’s requirements and intent. To make it easy, we could provide them with a cross-reference matrix to demonstrate where the standard’s requirements are met within the documented system procedures.
Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of a “de-ISO-ized” system.
About the author
Inderjit Arora is the president and CEO of Quality Management International Inc. (QMII). He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and a 32-year record of achievement in the military, mercantile marine, and civilian industry.
This article originally appeared on the Quality Digest website on September 30, 2019 and is published here with permission.