Companies use different management system implementation methodologies to understand the requirements / inputs of their customer and then plan to deliver outputs meeting requirements as a conforming product / service. The International Organization for Standardization (ISO) publishes standards which when correctly interpreted enables companies to systematically and consistently provide desired outputs while addressing risks. Using the framework/methodology provided by ISO, companies design systems / processes to work together to deliver desired outputs.
The endeavor of the organization should be to define the outputs (products/services) accurately, after understanding customer requirements, both stated and unstated. ISO standards allows companies of any size and industry to implement them. Hence a lot is left open to interpretation. Despite this, certification of these systems delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO certification gives confidence of a certain basic framework being implemented and followed.
The risks are appreciated in the context of the organization. The core process of the organization has its objectives directly derived from the company policy. The Key and Support procedures ensure the objectives of the core procedure are met and deliver a confirming product and or a confirming service.
Why ‘ISO-ized’ systems fail?
This understanding of how a management system works and delivers products and services must be understood in the spirit of the ISO standard. The use of the standard is not like a magic wand which will guarantee excellence or success. The Standard needs careful interpretation to design the processes necessary to meet stakeholder requirements. Many an ‘ISO-ized’ management system implementation do not deliver sustained success because, when written around the clauses of the standard the system is not actively used and therefore does not deliver the feedback that a good system should.
The process needs to be documented around what the users do. These processes then need to be resourced, controlled, monitored, audited and reviewed for continuing suitability, adequacy and effectiveness. Organizations blunder into believing that ‘ISO-izing’ their system is the panacea to all their problems. It is not. These systems documented to the clauses only benefit the external auditors of the system. The system should be documented for easy use by the users of the system. Auditors and auditing are an integral part of the system; meant to provide objective inputs for improvements and not to dictate how the system functions.
The process approach to management system implementation
The process-based approach is the fundamental to management system implementation. The success in ISO standard implementation (be it for efficiency, managing risk, security, environment, aerospace quality or food safety etc.), lies in a good plan that accounts for system risks given the organizational business context. Management system implementations should ideally capture the “as-is” of the system, compare it to requirements and identify the gaps enabling design of new procedures and an update of existing procedures. These procedures are designed to meet measurable objectives, that are based on the policy of the leadership. Users of the system do the work to meet the objectives and the procedures must capture the ‘how’ of what they do.
The chain from understanding requirements, risks and inputs to creating the policy should be systematically considered in designing the management system prior resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership from cradle to cradle i.e. from the planning to implementing to monitoring and reviewing of performance for improvement. This approach gets Top Management (TM) to take personal ownership of their management systems.
ISO standards are not prescriptive and need interpretation by the users of the system. Using the Plan-Do-Check-Act (PDCA) cycle approach leaders convey their policy to the users of the system. The system ensures adequate controls and resources, so outputs meet the inputs and the measurable objectives as set. Management system implementation, when done correctly, allows for feedback to be captured so risks and opportunities for improvement are identified and addressed in a timely manner. As for the auditors let us have them use their innovative approaches to identify how the system meets the requirements and intent of the standard. To make it easy we could provide them with a cross-reference matrix to demonstrate where the requirements of the system are met within the documented procedures. Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of ‘De-ISO-ized’ system.