Myth: Your Management System Documentation Must Resemble the ISO Standard

A management system written just to align with ISO QMS clauses won’t deliver the feedback you need

Published: Monday, September 30, 2019 - 11:03

Every company uses a system to understand the requirements and inputs of its customers, and then plans to deliver outputs meeting those requirements as a conforming product or service. The International Organization for Standardization (ISO) publishes management system standards that, when correctly interpreted, enable companies to systematically and consistently provide desired outputs while addressing risks.

Using the framework provided by ISO, companies can design systems and processes that work together to deliver desired outputs (i.e., products or services). An organization should endeavor to define its outputs accurately, after understanding customer requirements, both stated and unstated. ISO standards allow companies of any size and industry to implement them; hence, a lot is left open to interpretation.

Despite this, certification to these management system standards delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO management system certification, such as ISO 9001, gives confidence of a certain basic framework being implemented and followed.

Risks are identified in the context of the organization. The organization’s core process derives its objectives directly from the company policy. Key and support procedures ensure that these objectives are met in order to deliver a confirming product or confirming service.

Why ‘ISO-ized’ systems fail

This understanding of how a management system works to deliver products and services must be understood in the spirit of the ISO standard. The standard is not like a magic wand that will guarantee excellence or success. It needs careful interpretation to design the processes necessary to meet stakeholder requirements. Unfortunately, many companies try to “ISO-ize” their management systems by simply writing processes and procedures around the standard’s clauses, with no regard to whether the processes or procedures make sense for their business. Many ISO-ized management systems fail to deliver sustained success because such systems can’t deliver the feedback that a good system should.

Processes must be documented around what users actually do. These processes then need to be resourced, controlled, monitored, audited, and reviewed for continuing suitability, adequacy, and effectiveness. Organizations blunder into believing that ISO-izing their systems is the panacea to all their problems. It is not. Management systems documented to reflect a standard’s clauses only benefit external auditors of the systems. Auditors and auditing are an integral part of a system, but they are meant to provide objective inputs for improvements, not to dictate how the system functions. Good management systems should be documented for easy use by their users.

The process approach to systems

A process-based approach is fundamental to implementing a management system. Success in implementing ISO management standards—for efficiency, managing risk, security, environment, aerospace quality, food safety, or whatever—lies in a good plan that accounts for system risks, given the organizational business context. Ideally, a management system should capture the “as-is” of the system, compare it to requirements, and identify any gaps between the two. This enables the design of new procedures and an update of existing procedures. A process approach is designed to meet measurable objectives, ones that are based on the policy of the organization’s leadership. System users do the work to meet the objectives, and the procedures must capture the “how” of what they do.

The relationship between understanding requirements, risks, and inputs to creating the policy should be systematically considered when designing a management system and prior to resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership throughout the entire implementation process, i.e., from planning and implementing to monitoring and reviewing for performance for improvement. This motivates top management to take personal ownership of their management systems.

Conclusion

ISO management system standards are not prescriptive and need interpretation by users of the system. Using the plan-do-check-act (PDCA) cycle approach, leaders convey their policy to the system users. The system ensures adequate controls and resources so that outputs correlate with inputs and meet measurable objectives as set. The system allows for feedback to be captured, so risks and opportunities for improvement are identified and addressed in a timely manner.

As for the auditors, let us encourage them to use their innovative approaches to identify how the system meets the standard’s requirements and intent. To make it easy, we could provide them with a cross-reference matrix to demonstrate where the standard’s requirements are met within the documented system procedures.

Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of a “de-ISO-ized” system.

About The Author

Inderjit Arora

Inderjit Arora is the President and CEO of Quality Management International Inc. (QMII). He serves as a team leader for consulting, advising, auditing, and training in management systems. He specializes in several ISO and industry specific standards. He is an Exemplar Global certified Lead Auditor and is on the US TAG-176 committee, and a member of the US Submarine League. IJ  is a popular speaker at several universities and forums on management systems, conflict management, crisis communication and leadership. Dr. Arora is a Master Mariner with an MBA from the College of William and Mary and additionally MSC in defense studies and graduation in nuclear sciences. He has a 32 year record of achievement in the military, mercantile marine, and civilian industries. He writes a blog and contributes to several professional magazines, including Quality Digest. His articles have been published in the USCG Proceedings.